Multiple SQL Injection Vulnerabilities on Web Cookbook found by Security Researcher

posted on by in: Vulnerability, Zero Day Vulnerability
0
An Independent Pakistani Security Researcher Saadat Ullah found Multiple SQL Injection Vulnerabilities on Web Cookbook. Security Researcher also found SQL Injection and XSS vulnerabilities on nconf-1.3, Plogger Gallery and on Mybb Plugin PRO STAT.

Vulnerabilities details are given below:

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , [email protected]
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]

http://localhost/cook/showtext.php?mode=[SQLi]

http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=

http://localhost/cook/showtext.php?mode=[SQLi]

All GET Fields Are Vuln To SQLi

http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=

A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=&prefix=&preparation=&postfix=&tipp=&ingredient=

email