by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

HobSR SQL inj. vuln

HobSR SQL inj. vuln
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:www.hobosworld.com/scripts.php?id=5
affected version:1.0 and prior

Product Description:
HobSR is an top sites script where users sign up to have their website on a list of websites, and each click in/out is counted for them. This script has the ability to have unlimited admins and websites. This script also features a varify program where all websites who sign up must be varified by the admin to be put on the list. You NEED MYSQL to run this script.

Vuln. Description:
Input passed to the "arrange" and "p" parameter in "view.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/view.php?arrange=[SQL]
/view.php?p=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew