by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Babe Logger V2 Sql inj. vuln.

Babe Logger V2
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://13scripts.com/
affected version: V2 and prior

Product Description:
This script is geared towards babe blog type sites but can be used for any kind of link and/or image listing site imaginable. Whether it be a link dump site, tgp site, media site, etc, this script will do it, see the demos on the script below this one for more examples, you are not limited to these demos, they are just examples of what you can do with the script, and you can create your own setup. The script works on a template system and is 100% customizable. Only basic HTML knowledge is needed to change the look of the entire script, each demo was created in under 5 minutes. Takes about 30 seconds to fully install.

Vuln. description:
Input passed to the "gal" parameter in "index.php" and "id" parameter in "comments.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?gal=[SQL]
/comments.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

This bug is patched now.

1:38 AM

 
Blogger Maniac mansion power told...

The girls are hot thanks, also see http://www.sexybabesdirectory.com/

6:21 PM

 
Anonymous Babe told...

Okay, you might also like http://www.spacelotus.com hot babe wallpapers ^-^

4:29 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew