by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Nephp Publisher v4.5.x SQL inj. vuln.

Nephp Publisher v4.5.x SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
affected version:v4.5.2 and prior

Product Description:
a perfect solution for web publishing like an online magazine or media websites. It works also as Content Management System that are easy to install and manage. It works as a core application and let you develop your own desired website. By modifying its templates, nephp can become a multi-purpose software. For example: News Publishing, Product Reviews, Content Manager System (CMS), Lyric Engine, etc ....

Vuln. description:
Input passed to the "id" and "nnet_catid" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Edit the source code to ensure that input is properly sanitised.


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew