# Ariko-Security: Security Audits , Audyt bezpieczeństwa
# Advisory: 735/2010

============ { Ariko-Security - Advisory #1/10/2010 } =============

Awiz FHG Manager multiple vulnerabilities

Vendor's Description of Software:
# http://fhg.awizsoft.com/demo.php

Dork:
# N/A

Application Info:
# Name: Awiz FHG Manager
# ALL versions

Vulnerability Info:
# Type: multiple XSS, multiple link injections,

Time Table:
# 15/08/2010 - Vendor notified.

Fix:
# n/a

Input passed to the "pagephp" parameter in edit_fhs_templ.php is not properly
sanitised before being returned to the user.

Input passed to the "pagephp" parameter in edit_php.php is not properly
sanitised before being returned to the user.

Input passed to the "sort" parameter in topstats.php is not properly
sanitised before being returned to the user.

Input passed to the "template" parameter in top_frame.php is not properly
sanitised before being returned to the user

Solution:
# Input validation of all vulnerable parameters should be corrected.

Vulnerability samples:

/prw/edit_fhs_templ.php
POST: pagephp=2<script>alert(XSS)</script>

/prw/edit_php.php
POST pagephp= link injection

Credit:
# Discoverd By: Ariko-Security 2010