lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68cbfab105081617196fbd947c@mail.gmail.com>
Date: Wed Aug 17 01:19:58 2005
From: h4cky0u.org at gmail.com (h4cky0u)
Subject: phpWebSite 0.10.1 Full SQL Injection

TITLE:
=====
phpWebSite 0.10.1 Full SQL Injection

SOFTWARE:
==========
phpWebSite 0.10.1 Full

INFO:
=====
phpWebSite provides a complete web site content management system.

DESCRIPTION:
============
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Here
is an example:

http://localhost/phpweb/index.php?module=[sql_injection]

DB Error: syntax error
SELECT show_block, block_title FROM mod_search WHERE
module='[sql_injection]' [nativecode=1064 ** You have an error in your
SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near ''[sql_injection]'' at line
1]

PATCH:
======
A simple filter function will do or make the script to accept only
a-b,A-B,0-9 characters

VENDOR STATUS:
===============
The vendors were contacted but no response received.

CREDITS:
========
This vulnerability was discovered and researched by 
matrix_killer of  h4cky0u Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org
                                  

Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!

===========

http://h4cky0u.org/viewtopic.php?t=1967
-- 
http://www.h4cky0u.org
(In)Security at its best...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ