Description: ============ Multiple XSS and SQL injection vulnerabilities were found in Inetmedia's web services cityinfo.pl and cityaz.de, which my be exploited by attackers to gain confidential information and/or modify datebase. These flaws are due to PHP programming mistakes in: "http://users.[CITY_NAME].cityinfo.pl/";; "http://users.[CITY_NAME].cityaz.de/";; "http://[CITY_NAME].cityinfo.pl/firma.php";; "http://[CITY_NAME].cityinfo.pl/page_tpl.php";; "http://[CITY_NAME].cityaz.de/firma.php";; "http://[CITY_NAME].cityaz.de/page_tpl.php";; "https://users.[CITY_NAME].pl/";; "https://users.[CITY_NAME].de/";; "https://[CITY_NAME].cityinfo.pl/";; "https://[CITY_NAME].cityaz.de/";. CITY_NAME - name of the city in Poland or Germany. Probably there are more flaws, which were not discovered during research. Examples: ========= http://users.krakinfo.pl/index.php?msg=<script>alert(document.cookie);</script> http://www.krakinfo.pl/firma.php?id=-1%20union%20select%20*%20from%20uzytkownicy References: =========== www.cityinfo.pl stats.inetmedia.pl/cityinfo.php www.cityaz.de stats.inetmedia.pl/cityaz.php www.inetmedia.pl Credits: ======== Vulnerabilities were found by: Łukasz Juszczyk a.k.a kahir, Filip Palian a.k.a s_n. Feedback: ========= <lukasz.juszczyk at pjwstk.edu.pl> <filip.palian at pjwstk.edu.pl> Additional information: ======================= Vulnerability reported to Inetmedia on 25-06-06 at 14:30. Acknowledgment: =============== [DFT]
