Date: Fri, 1 Jun 2007 13:45:32 +0200
From: "MC Iglo" <mc.iglo@googlemail.com.>
To: [email protected], [email protected]Subject: static XSS / SQL-Injection in Omegasoft Insel
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Virus-Scanned: antivirus-gw at tyumen.ru
Input passed to fields in OmegaMw7's tables isn't properly sanitized
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site and/or inject SQL-Commands
This applies to many many standard fields in different tables
e.g. F05003, F05005, F05015
and to all user-created text fields using the form creator (you cannot
do it a different way)
kind regards
MC.Iglo
