MyWebSQL 'index. php' Cross-Site Scripting Vulnerability

MyWebSQL 'index. php' Cross-Site Scripting Vulnerability

Released on: 2014-09-03
Updated on: 2014-09-04

Affected Systems:
MyWebSQL 3.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69553
CVE (CAN) ID: CVE-2014-4735

MyWebSQL is a web-based MySQL database management tool.

MyWebSQL 3.4 and other versions are not passed to "/index. php "script" table "http get parameter value, which allows remote attackers to trick the Administrator to open the constructed link and execute arbitrary HTML and script code in the vulnerable site Context Browser.

<* Source: High-Tech Bridge Security Research Lab
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com /? Q = wrkfrm & amp; type = exporttbl & amp; table = % 27; % 3C/script % 3E % 3 Cscript % 3 Ealert % 28% 27 immuniweb % 27% 29; % 3C/script % 3E

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

MyWebSQL
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://mywebsql.net/

This article permanently updates the link address: