SQL Injection Vulnerability in newsletter

Summary

Vulnerability: SQL Injection Vulnerability in newsletter
Discovered: 2006.03.28
Last Update: 2006.04.07 Exploitation code published
ID: EV0107
CVE: CVE-2006-1533
Risk Level: medium
Type: SQL Injection
Status: Unpatched. Vendor notyfied.
Vendor: n/a
Vulnerable Software: newsletter (http://www.sourceworkshop.com/)
Version: 1.0
PoC/Exploit: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in newsletter (http://www.sourceworkshop.com/) script.

Vulnerable script: newsletter.php

Parameter newsletteremail is not properly sanitized before being used in SQL query. This can be used to evaluate arbitrary SQL expression.

Condition: magic_quotes_gpc = off

PoC/Exploit

SQL Injection Example:

Subscribe form
Email: zzz' AND [SQL expression]/*

Solution.

Solution for "SQL Injection Vulnerability in newsletter" is not available. Check vendor's website for updates.

SQL Injection Vulnerability in newsletter

Summary

Description

PoC/Exploit

Solution.

Company

Services

eVuln Labs

eVuln Tools