by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

Jamit Job Board 2.4.x SQL inj.

Jamit Job Board 2.4.x SQL inj.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.jamit.com.au/
affected version:2.4.1 and prior

Product Description:

Job Board Pro is a PHP application for running and managing a jobs portal website. It is written in PHP and supported by a MySQL database. It is a complete script for those that want to run a professional Job Board website, with all the features that you would expect and simple and easy to navigate and use. The Job Board script was designed by applying many of the principles learned from the study of Human-Computer Interaction (HCI). Features includes Employer's area, Job Seeker's area, Email alerts, Job Search, Online resume, Multi-lingual, Dynamic Forms, Billing system for subscriptions & posting credits (integrated with PayPal IPN), and more.


Vuln. Description:

Job Board Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "cat" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/index.php?cat=[SqL]



Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew