Home / Defacement / Multiple Vulnerabilities found in DENR Marinduque Website

Multiple Vulnerabilities found in DENR Marinduque Website

Hitman from Pinoy Vendetta shared a post that the website of Provincial Environment and Natural Resources Office Marinduque is vulnerable to XSS.

Bad thing, it is not just simple XSS but a stored one where his commands ( usually javascripts) will be stored to the server.

A visit to the page he claimed to suffers XSS denr.marinduque.ph/upload.php  javascript alert message will popup , “explored by Hitman,” then will redirect to the Pinoy Vendetta website – PV-hosting.com.

Multiple Vulnerabilities

We also tried to browse into the website and check for other vulnerability, what we found is that, it can also be exploited by SQL injection. A MySQL error displays on the page as it is triggered by a quote in the news page.

Another browse, now into the gallery page shows it is indeed vulnerable to XSS. A click on any shown photo icon is either javascript or html code injected.

There is also a reflected xss, you may visit this link.

About Clifford Trigo

I am Clifford Trigo a proud Boholano / Pinoy / Filipino Web App Security Researcher. Day by day, I'm learning new things :)) Visit my Hackerone Profile, currently at top 2 overall :D