MonoQL 0.1a multiple security vulnerabilities
There are multiple security vulnerabilities in MonoQL 0.1a which may allow an attacker to take control of the software.
Software Link: MonoQL
Vulnerable Version: 0.1a ( Previous versions may also be affected )
Vendor Notification: firstname.lastname@example.org [ 2010-11-22 3:00AM ]
# 2010-11-22 3:20AM # Vendor Reply: aware of issue # Advisory released
# Information Disclosure # Username Enumeration # 0.1a # Unpatched
"/login" fails to block repeated login attempts or login attempts without a password. If a correct username is supplied it returns the user's ID. An attacker could leverage "/login" to enumerate usernames and user IDs.
# Reflected Cross-Site Scripting (XSS) # 0.1a # Unpatched
The issue is due to failure in the "index" and "login" file to correctly sanitize user-supplied data in the "f" parameter.
# Authentication Bypass # 0.1a # Unpatched
A user can create a new connection without logging in to the user interface by pressing CTRL+T on any page, or by using the following URL :