by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

DMANews Multiple SQL inj. vuln.

DMANews Multiple SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
affected version: 0.904 (latest downloadable version) and v0.910 [Development version]

Product description:

Popular, powerful, secure. DMANews focuses on ease of use and flexible customisation. With excellent documnetation and a choice of 4 beautiful control panels, it installs in 5 minutes flat with easy interactive walkthrough script. Save yourself some time and check out the (always working!) online demo for an immediate appraisal. Requires PHP4 & MySQL.

Vuln. Description:

Input passed to the multiple parameters isn't properly sanitised before being used in a SQL query( examples provided,see below). This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



Edit the source code to ensure that input is properly sanitised.


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew