Site: http://greensql.net/
live-demo: http://demo.greensql.net/
Platform: alls
Bug: permanent xss
Special condition: none
Impact : semi-critical

1) Introduction
2) Bug
3) Proof of concept
4) Credits

1) Introduction

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works in a proxy mode and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc).

2) Bug

permanent xss

=====
3)Proof of concept

well the proof of concept can be anywhere , like a login form, an url value everythings is loggued in the green-sql
admin panel. the problem is because there's no filter , so the script logs your query in the database
and then it's printed in the alert section . this can be pretty nastie … you "protect" your script agains sql injection with a firewall , but you have a permanent xss in the panel . and actually only the admin see the logs .
so you know that the cookie is the good one !

an exemple can be given in the demo website :
http://www.greensql.net/sql-injection-test fill login or password with <script>alert(document.cookie)</script>
then go in the admin panel :http://demo.greensql.net/ xss will be executed .

=====
5)Credits

Laurent gaffie
contact : [email protected]