Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] phpWebSite 0.10.1 Full SQL Injection
From: h4cky0u (h4cky0u.orggmail.com)
Date: Tue Aug 16 2005 - 19:19:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
=====
phpWebSite 0.10.1 Full SQL Injection
SOFTWARE:
==========
phpWebSite 0.10.1 Full
INFO:
=====
phpWebSite provides a complete web site content management system.
DESCRIPTION:
============
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Here
is an example:
http://localhost/phpweb/index.php?module=[sql_injection]
DB Error: syntax error
SELECT show_block, block_title FROM mod_search WHERE
module='[sql_injection]' [nativecode=1064 ** You have an error in your
SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near ''[sql_injection]'' at line
1]
PATCH:
======
A simple filter function will do or make the script to accept only
a-b,A-B,0-9 characters
VENDOR STATUS:
===============
The vendors were contacted but no response received.
CREDITS:
========
This vulnerability was discovered and researched by
matrix_killer of h4cky0u Security Forums.
mail : matrix_k at abv.bg
web : http://www.h4cky0u.org
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!
===========
http://h4cky0u.org/viewtopic.php?t=1967
--
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]