- Authenticated (standard user) Union-based SQL injections on the page /v6/lib/xhr_data.php. The following POST parameters are vulnerable : "deb", "order", "nbpp" and "layer".
PoC :
cmd=getData&layer=1856+ORDER+BY+88&deb=1&order=&way=false&nbpp=1&h=791 => No error
cmd=getData&layer=1856+ORDER+BY+89&deb=1&order=&way=false&nbpp=1&h=791 => SQL error in the response
Passwords for webapp users are stored in plaintext and in Bcrypt format.
- With administrator’s privileges on the webapp, local file inclusion on the page /v5/admin/template.php. Only php files can be downloaded through the vulnerable GET parameter "page". PoC :
The content of the page "log_user.php" will be included in base64 format inside the server response.
- Authenticated (standard user) command injection on the page /v6/lib/xhr_impconf.php. The POST parameters "input" and "output" are used to craft a system command under certain circumstances.
- PoC :