Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Tons of SQL-injections and XSS in Eichhorn Portal and vendor page
From: MC Iglo (mc.iglogooglemail.com)
Date: Sun Aug 20 2006 - 06:10:02 CDT
There are lots of SQL injections and XSS in the 'Eichhorn Portal' by
'Guder und Koch Netzwerktechnik' and their own website.
Input passed to multiple parameters in different PHP-files isn't
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site or conduct some
Because there are so many Bugs, I will just give some examples of not
properly checked parameters and form fields:
textfield "suchstring" in "suchForm"
- gallerie module
- ggbns module
Vendor is not notified, because they don't offer a mailaddress for
this purpose. But they should see lots of strange requests in their
log files :)