by r0t,der4444,cembo,VietMafia

Tuesday, December 06, 2005

A-FAQ SQL inj. vuln.

A-FAQ SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.alanward.net/afaq
affected version:1.0 and prior

Product Description:
A-FAQ is an ASP application used for managing a database of questions and answers. Features include categories, ratings and full administration area.


Vuln. Description:
Input passed to the "faqid" parameter in "faqDspItem.asp" and "catcode" parameter in "faqDsp.asp" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/faqDspItem.asp?faqid=[SQL]
/faqDsp.asp?catcode=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

baac r0t tu esi tik neapteests.
tu esi pilniibaa sadirsis shito ideaalo blogu par kaut kaadu meeslu kraatuvi. man pat riebjas te ieliist jo atkal zinu ka tas laame buus atkal sarakstijis pilnu ar kaut kaadaam elementaaraam sql ievainojamiibaam. tak suuti vinjas visas uz sec saitiem nevis te. pilniibaa debiils tu esi.

7:15 PM

 
Blogger r0t told...

"baac r0t tu esi tik neapteests"-Super!

"shito ideaalo blogu"- Kopsh kuriem laikiem?

"atkal zinu ka tas laame"- Bljin, es tzik daudz zinatu , butu es TU!

"pilniibaa debiils tu esi."-Aga atradies man jaunais pravities sheit:)


Man rodas jautajums ,ko Tu sheit dari?
Ja ari nodarbojos pedejas dienas ar visadam muljkkibam tad tas man sagad prieku , na ja plus blogam mazliet vairak apmekletaju.
Kamer nevienam nav laika ne gar blogu ne gar toposho saitu ne gar forumu, tikmer es akstos...
Par elementaram ari es uzskatu shis ievainojamibas, bet tas nemaina neko.
Ja uzskatiti sev par baigo onluli kas tagad atnaks un uzbljaus uz maza "r0t" tad , tu kljudies puisi ar to ka doma ka Tu te kaut ko izmainisi.
Man ir uzspljaut pilnigi uz tadiem ka Tu un jusu replikam, vienalga no kurienas juus naktu un rastos.
Varbut tadi ka Tu nespej darit to ko veelas, tad jau nevajag ari censties aprobezhot citus liidz ar sevi.
Tu kadreiz pameiggini paveikt kaut vai 10% no ta ko esmu paveicis un tad vaarsti savu muti un runa neiet tik par siem "advisorijiem" kas ir tikai pedeja nedelju darbs.

10:07 PM

 
Anonymous metro web hosting told...

Hey how are you doing? just letting you know that someone from Central America read your blog!
If you feel like visiting mine:
metro web hosting
Regards,
Charles

12:46 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew