SQL Injection Vulnerability in AZNEWS

Summary

Vulnerability
SQL Injection Vulnerability in AZNEWS
Discovered
2006.04.29
Last Update
2006.05.09 Exploitation code published
ID
EV0126
CVE
CVE-2006-2136
Risk Level
medium
Type
SQL Injection
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
AZNEWS (http://zoerb.net/)
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in AZNEWS (http://zoerb.net/) script.

SQL Injection.

Vulnerable script: news.php

Parameter ID is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

PoC/Exploit

1. SQL Injection Example.

URL: http://[host]/news.php?ACTION=show&ID=9999%20union%20select%201,2,3,4

Solution.

Solution for "SQL Injection Vulnerability in AZNEWS" is not available. Check vendor's website for updates.

Order Source Code Analysis made by eVuln

Protect against hacker attacks by source code analysis of your website made by eVuln team.The work will be done by specialists in website security.

Advisories by vuln type

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>