Banana Dance versions B.2.6 and probably prior suffers from PHP File Inclusion, Improper Access Control, SQL Injection vulnerabilities, according to High-Tech Bridge Advisory HTB23118 - Multiple vulnerabilities in Banana Dance.
PHP File Inclusion in Banana Dance:
Input passed via the "name" POST parameter to "/functions/ajax.php" is not properly verified before being used in "include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.Improper Access Control in Banana Dance:
The application does not restrict access to the "/functions/suggest.php" script to unauthenticated users. A remote attacker can read arbitrary information from database.SQL Injection in Banana Dance:
Input passed via the "return", "display", "table" and "search" POST parameters to "/functions/suggest.php" script is not properly sanitised before being used in SQL query. Although the "mysql_real_escape_string()" function is called on the input it has no effect due to usage of the ` quotes in SQL query. Input passed via the "id" GET parameter to "functions/widgets.php", "category" GET parameter to "functions/print.php", "name" GET parameter to "functions/ajax.php" scripts are not properly sanitised before being used in SQL query. This vulnerabilities can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Banana Dance is a free, open source, PHP/MySQL program that takes the best of wiki software and combines it with the best of web content management systems (CMS).
No comments:
Post a Comment