SQL Injection Vulnerability in AndoNET Blog

Summary

Vulnerability: SQL Injection Vulnerability in AndoNET Blog
Discovered: 2006.01.25
Last Update: 0 n/a
ID: EV0050
CVE: CVE-2006-0462
Risk Level: medium
Type: SQL Injection
Status: Unpatched
Vendor: n/a
Vulnerable Software: AndoNET Blog (http://www.andonet.tk/)
Version: 2004.09.02
PoC/Exploit: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in AndoNET Blog (http://www.andonet.tk/) script.

Vulnerable script: comentarios.php

Variable $HTTP_GET_VARS['entrada'] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

PoC/Exploit

SQL Injection Example:

http://host/adonet/index.php?ando=comentarios&entrada=1'%20union%20select%201,2,3,4/*

Solution.

Solution for "SQL Injection Vulnerability in AndoNET Blog" is not available. Check vendor's website for updates.

SQL Injection Vulnerability in AndoNET Blog

Summary

Description

PoC/Exploit

Solution.

Company

Services

eVuln Labs

eVuln Tools