Quixplorer Multiple Vulnerabilities - Nov14 Network Vulnerability

Summary

This host is installed with Quixplorer and is prone to multiple vulnerabilities.

Impact

Successful exploitation will allow remote attackers to gain access to arbitrary files and execute arbitrary script code in a user's browser within the trust relationship between user's browser and the server. Impact Level: System/Application

Solution

Upgrade to Quixplorer version 2.5.5 or later. For updates refer to https://github.com/realtimeprojects/quixplorer

Insight

Multiple errors exist as the input passed via the 'dir', 'item', 'order', 'searchitem', 'selitems[]', and 'srt' parameters is not validated upon submission to the /quixplorer/src/index.php script.

Affected

Quixplorer version 2.5.4 and prior.

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://secunia.com/advisories/55725
http://www.osvdb.org/100343
http://www.osvdb.org/100344
https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-030.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-1641, CVE-2013-1642

CVSS	Base Score: 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N

Related Vulnerabilities

b2Evolution title SQL Injection
AudiStat multiple vulnerabilities
Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability
Advantech Studio 'NTWebServer.exe' Directory Traversal Vulnerability
AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability

Take action and discover your vulnerabilities