by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

SoftBiz FAQ Script Multiple SQL vuln.

SoftBiz FAQ Script Multiple SQL vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.softbizscripts.com/FAQ-script-features.php
affected version:1.1and prior

Product Description:
Our FAQ Script reduces the burden of replying to similar/repetitive queries. It can also be used as a collection of articles. FEATURES: multilevel categories; stats; Customizable colors, fonts, styles; create and save new color schemes and icon sets. Admin can post attachments and specify related articles. Visitors can comment upon, rate, print, refer or discuss articles. WYSIWYG editor for posting HTML formatted articles.

Vuln. description:
Input passed to the "id" parameter in "faq_qanda.php","refer_friend.php","print_article.php","add_comment.php" and "cid" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?cid=[SQL]
/faq_qanda.php?id=[SQL]
/refer_friend.php?id=[SQL]
/print_article.php?id=[SQL]
/add_comment.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Blogger Silver Fox told...

Our network has been looking for a Multilevel business like yours to list in our World Directory & our forum.

Hey, there is no cost and it will only take a few minutes for you to register!

Your Silver Fox Business Building Team helping build your Multilevel business!

6:57 PM

 
Blogger Silver Fox told...

Our network has been looking for a Multilevel business like yours to list in our World Directory & our forum.

Hey, there is no cost and it will only take a few minutes for you to register!

Your Silver Fox Business Building Team helping build your Multilevel business!

5:24 PM

 
Anonymous Scott Arthur Edwards told...

Wow what a cool blog you have here! I am impressed. You really put a lot of time and effort into this. I wish I had your creative writing skills, progressive talent and self- discipline to produce a blog like you did. Your blog really does deserve an honest compliment. If you have some time, stop by my site. It deals with stuff like, click here: home business and then feel free to e-mail me with your words of wisdom.

P.S. I'll sure put the word out about your site and I would appreciate any business you may send my. way... Later, Scott.

12:28 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew