The host is running BugTracker.NET and is prone to cross-site scripting and SQL injection vulnerabilities.

Successful exploitation will allow attacker to cause SQL Injection attack and to conduct cross-site scripting attacks. Impact Level: Application

Upgrade to BugTracker.NET version 3.4.5 or later, For updates refer to http://www.ifdefined.com/bugtrackernet_download.html

The flaws are due to: - Input passed to the 'pcd' parameter in edit_bug.aspx, 'bug_id' parameter in edit_comment.aspx, 'default_name' parameter in edit_customfield.aspx, and 'id' parameter in edit_user_permissions2.aspx is not properly sanitised before being returned to the user. - Input passed via the 'qu_id' parameter to bugs.aspx, 'row_id' parameter to delete_query.aspx, 'us_id' and 'new_project' parameters to edit_bug.aspx, and 'bug_list' parameter to massedit.aspx is not properly sanitised before being used in a SQL query.

BugTracker.NET version prior to 3.4.5

• http://secunia.com/advisories/42418
• http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker
• http://www.exploit-db.com/exploits/15653/
• http://www.securityfocus.com/archive/1/archive/1/514957/100/0/threaded

---

Updated on 2015-03-25