From: Kw3rLn Kw3rLn <kw3rln@yahoo.com>
To: moderators@osvdb.org
Date: Fri, 28 Apr 2006 02:12:08 -0700 (PDT)
Subject: [OSVDB Mods] [OSVDB] New Vulnerability

Web4Future Portal Solution SQL & XSS

Vuln. discovered by : Kw3rLn

SEVERITY:
=========

Medium


SOFTWARE:
=========

Web4Future Portal Solution
http://www.web4future.com/products.php?p=nportal


INFO:
=====

It's a professional solution dedicated for Newspapers and publications that want to easily present their paper on the Internet.
It comes with an easy to use web site manager, automated newsletter creation utility, automated weather forecast system and
currency converter. It creates everything automated: front page, newsletter, archive.


AFFECTED VERSION:
=================

Latest


DESCRIPTION:
============

--==SQL injection==--

Portal Solutions is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly
sanitize user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database implementation.


http://www.site.com/comentarii.php?ID=[SQL]
http://www.site.com/view.php?ID=[SQL]


--==xSS==--

http://www.site.com/comentarii.php?ID=[XSS]
http://www.site.com/view.php?ID=[XSS]

VENDOR STATUS:
==============

Vendor was contacted but no response received till date.


SOLUTION:
=========

Edit the source code to ensure that input is properly sanitised.


CREDITS:
========

This vulnerability was discovered and researched by
Kw3rLn of  h4cky0u Security Forums.

mail : Kw3rLn at hotmail.com

web : http://www.h4cky0u.org


Greets to all Google.ro Mafia Members and all members of h4cky0u.org
                
---------------------------------