by r0t,der4444,cembo,VietMafia

Thursday, December 01, 2005

NetClassifieds all versions SQL inj. vuln

NetClassifieds all versions SQL inj. vuln

Vuln. dicovered by : r0t
Date: 1 dec. 2005
affected version:
NetClassifieds Premium Edition 1.0.1
NetClassifieds Professional Edition 1.5.1
NetClassifieds Standard Edition
NetClassifieds Free Edition 1.0.1

Vuln. Description:

Input passed to the "CatID" parameter in "ViewCat.php" and "gallery.php","ItemNum" parameter in "ViewItem.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



Edit the source code to ensure that input is properly sanitised.


Anonymous Anonymous told...

Great job of reporting to the vendor first so they could release a fix with the announcement of the problem! Thankfully most people who report bugs are responsible enough to let the vendor know ahead of time so a fix can be issued.

9:56 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew