Advisories » Schoolwires Academic Portal "c" Parameter Handling Remote Cross-Site Scripting and SQL Injection Vulnerabilities

Release Date:	20/02/2008	Severity:	Moderately Critical
SecWatch Advisory:	SWID1020416	Cause:	Input validation error
Solution Status:	Unpatched	Impact:	Cross Site Scripting SQL Injection
Exploit Status:	None Available	Access Vector:	From remote
Affected Software:	Schoolwires Academic Portal
CVE:	CVE-2008-0908 CVE-2008-0909
Secunia:	SA29034

Description:

Multiple input validation vulnerabilities in Schoolwires Academic Portal have been reported, which can be exploited by remote users to conduct cross-site scripting and SQL injection attacks.

1) User-supplied input passed to the "c" parameter in browse.asp is not properly sanitised before being returned to the user in an error message. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

2) User-supplied input passed to the "c" parameter in browse.asp is not properly sanitised before being used in SQL queries. This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

Russ McRee, Holistic InfoSec.org

Free Vulnerability Notification Service

Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.