Saturday, 5 December 2009

www.myrepublica.com multiple SQLi and XSS vulnerabilities

Myrepublica is one of the newer magazines and the site http://www.myrepublica.com is their online site. They usually do news update and hence the site provides recent news and happenings easily to the website visitors... But, again they are not secured and suffer from normal SQLi injection vulnerabilities.
Here are some dumps from the table users.
Username: password: emailid

ameet:1dhakal2:ameet@myrepublica.com
bikash:bik31@:bikash@myrepublica.com
prem:1khanal2:prem@myrepublica.com
premdhakal:dhakal123:premdhakal@myrepublica.com
pawan:terobaumerobau:pawan148@yahoo.com

etc...

Sample screenshot:

Some fucking notes to them:
1) Don't fucking keep plain passes in DB
2) Don't fucking make re-use of the same password
3) Read sam207's article on securing this vulnerability...
4) You're giving us the location of admin panels. fuck you... learn the sense of security.

Sorry but you are so lame that I had to deface you. No offense to myrepublica team(actually I like your newspaper), this message is to the developers of the site....
EDIT: I also found the site search system to be vulnerable to cross site scripting vulnerability.
Thank you!!!

No comments:

Post a Comment