SQL Injection in WikLink

Summary

Vulnerability
SQL Injection in WikLink
Discovered
2010.12.23
Last Update
n/a n/a
ID
EV0170
CVE
n/a
Risk Level
medium
Type
SQL Injection
Status
Unpatched. Vendor notified. No reply from developer(s).
Vendor
n/a
Vulnerable Software
WikLink (http://sourceforge.net/projects/wiklink/)
Version
0.1.3
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in WikLink (http://sourceforge.net/projects/wiklink/) script.

SQL Injection
It is possible to inject arbitrary SQL query using q parameter in search.php script.

Parameter q used in SQL query without any sanitation.

Condition: magic_quotes: off

PoC/Exploit

SQL Injection PoC code.

SQL Injection example: http://website/wiklink/search.php?q=aaa' or 'a'='a

Solution.

Solution for "SQL Injection in WikLink" is not available. Check vendor's website for updates.