Please view the original file here. Multiple vulnerabilities within the Zeeways Adserver were found. >> SQL Injection Multiple scripts with multiple parameters are affected from this vulnerability. Example #1: index.php?section=redir&affid=0&kid=0&zid=[SQL Injection] Example #2: Visit the “register” page index.php?section=user&action=register and enter your SQLi string into the email field. Fill out the other fields with some normal [...]
Author: valentin
Please view the original file here.
Multiple vulnerabilities within the Zeeways Adserver were found.
>> SQL Injection Multiple scripts with multiple parameters are affected from this vulnerability. Example #1: index.php?section=redir&affid=0&kid=0&zid=[SQL Injection] Example #2: Visit the "register" page index.php?section=user&action=register and enter your SQLi string into the email field. Fill out the other fields with some normal stuff (like test) and view your result. >> Cross-Site Request Forgery Visit the "register" page index.php?section=user&action=register and enter your CSRF string into the email field. Fill out the other fields with some normal stuff (like test) and view your result. >> Local Installation Path Disclosure Visit index.php?section=doc&action= and fill out the action parameter. Example: index.php?section=doc&action=test >> Interesting error message Visit index.php?section=doc&action=test and play around with both the section and action parameters. You will notice that a local file inclusion is not possible (especially when you look at the section variable), but still you will be able to "inject" some stuff in the action parameter. For example use index.php?section=doc&action=# to get no output. This is not a real code injection vulnerability, but still some special control characters affect the output of the website. Maybe you are able to trigger some interesting stuff.
Comments on this entry (no comments)
Did you like this post? You can share your opinion with us! Simply click here.