by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

Web4Future Affiliate Manager PRO SQL inj. vuln.

Web4Future Affiliate Manager PRO SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/products.php?p=aff
affected version:4.1 and prior

Product Description:
Affiliate Manager Professional is an affiliate script that was created to ease your work. It keeps track of the new affiliates and let's you approve them with a single click, keeps track of every buy generated by a referral, it has a fraud detection system that e-mails you when there are problems, displays graphical stats in multiple forms, clear and easy to use interface, etc. It can be used to track recurring commissions and now allows MLM affiliate programs.

Vuln. Description:

Input passed to the "pid" parameter in "functions.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
/functions.php?action=ViewPaymentLog&pid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Affiliate Revenue told...

http://www.online-money-making-opportunities.com

12:08 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew