by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Top Music module for PHP Nuke SQL inj. vuln

Top Music module for PHP Nuke SQL inj. vuln
Vuln. dicovered by : r0t
Date: 28 nov. 2005
affected version:3.0 PR3 and prior

Product Description:
This is a module for PHPNuke that allows you to build an interactive music portal without technical knowledgement. Artists, bands, lyrics, songs, audio tracks... Features: :: A-Z list of Bands :: Bands information (Name, genre, biography...) :: Bands'Albums list :: Album information (Title, year, band...) :: Album's Songs list :: Song information (Title, album, number...) :: Listen sample songs :: Bands, Albums and Songs searching :: Tops listing :: Multilanguage :: Easy installation and configuration :: Themes Latest version: 3.0PR3 Stable version: 3.0PR2 CVS version: 3.0PR3 Now there is version 3.0 under developement with a new module called Top Music Submitter which will allow users submitions. Version 3.0 Pre-Release 3 is an adaptation for Top Music Submitter currently under developement. In addition, we have included some features that will be available in version 3.0 final

Vuln. description:
Input passed to the "idartist" and "idsong" and "idalbum" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.




Edit the source code to ensure that input is properly sanitised.


Anonymous Anonymous told...

I'm the Top Music module owner and I protect the module ensuring that url ids are integers.

SQL injection can't be made

8:37 PM

Anonymous sergids told...

I'm Top Music developer and I protected this module from sql injection in previous versions.

This vulnerability is not real.

9:04 PM

Anonymous Blog Submission Software told...

Want top search engine ranking? try my software Free Blog Submission Software check it out.

2:25 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew