by r0t,der4444,cembo,VietMafia

Wednesday, November 23, 2005

1-2-3 music store "AlbumID" Sql injection.

1-2-3 music store "AlbumID" Sql injection.

Vuln. dicovered by : r0t
Date 23 nov. 2005
Vendor:http://easybe.com/
affected version: 1.0 and prior

Product Description:
Description: 1-2-3 Music Store - the music download shop for musicians and labels. Reasonably-priced software that lets you sell music downloads worldwide and keep full control over your music.

Vuln. Description:
Input passed to the "AlbumID" parameter in "process.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Daniel told...

Hi,

could you send me (daniel.doubleday at gmx dot net) an example url which demos the vulnerability?

I'm with the easybe development team and fix the problem as soon as possible.

Thanks a lot, Daniel

3:22 PM

 
Blogger Handbag Express told...

Hello, just browsing around and thought I would peek at your blog also thought it would be a great opportunity to highly recommend both of these sites with spectacular deals. Grand Openings at **www.handbagexpress.com** for the ultmate handbag selections, and don't miss out on **www.VegasTours.com**for Spectacular Grand Canyon Vacation Tours, you will agree the offers are Super incredible after visiting. Thanks and have a great day.

1:19 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew