Security Research Work for Directi Part2

This post is regarding critical vulnerability i found on directi’s codechef.com

Proof of Concept

Earlier,I have reported a critical vulnerability(directory traversal) in the main domain(codechef.com).This time I thought of looking into the subdomains of codechef.com.
Through subdomain bruteforcing one domain caught my attention https://mail.codechef.com.
So,started looking for some juicy stuffs through dir-buster.
Got 200ok response from info.php file.
OWASP-A6 (https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure)
Here is the screenshot:

Disclosure of phpinfo server file:
Here is the screenshot: Here is the screenshot:

SQL-INJECTION(CRITICAL)

https://www.owasp.org/index.php/SQL_Injection Through some googling, I found that mail.codechef.com was using sendy email newsletter application.
Two vulnerabilities were available publicly through exploit database of sql-injection.Here is the screenshot-</br> Url-https://www.exploit-db.com/exploits/31898
Here is the screenshot: mail.codechef.com is using a vulnerable version of sendy.
Here is the screenshot:

Url->https://mail.codechef.com/app?i= [vulnerable-sql-injection-point]
Sqlmap confirms the sql-injection.This is a critical vulnerability which can compromise the server. Fix-Upgrade to the latest version
Here is the screenshot:

CROSS-SITE SCRIPTING-

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Inserting a javascript payload in the redirect parameter leads to its execution.
Here is the screenshot: