id SQL Injection in WikLink

Summary

Vulnerability: id SQL Injection in WikLink
Discovered: 2010.12.24
Last Update: n/a n/a
ID: EV0171
CVE: n/a
Risk Level: medium
Type: SQL Injection
Status: Unpatched. Vendor notified. No reply from developer(s).
Vendor: n/a
Vulnerable Software: WikLink (http://sourceforge.net/projects/wiklink/)
Version: 0.1.3
PoC/Exploit: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in WikLink (http://sourceforge.net/projects/wiklink/) script.

SQL Injection: It is possible to inject arbitrary SQL query using id parameter in getURL.php script.

Parameter id used in SQL query without any sanitation.

Condition: magic_quotes: off

PoC/Exploit

SQL Injection PoC code.

SQL Injection example: http://website/wiklink/getURL.php?id=-1' union select 1111/*

Solution.

Solution for "id SQL Injection in WikLink" is not available. Check vendor's website for updates.