vendor:
Free Hosting Manager
by:
Yakir Wizman AKA Pr0T3cT10n
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Free Hosting Manager
Affected Version From: 2.0
Affected Version To: 2.0
Patch Exists: NO
Related CWE: N/A
CPE: a:fhm-script:free_hosting_manager
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012
Free Hosting Manager V2.0 SQL Injection Vulnerability
A SQL injection vulnerability exists in Free Hosting Manager V2.0. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The vulnerability is triggered when an attacker sends a maliciously crafted HTTP request to the vulnerable application. The attacker can use the Google Dork 'inurl:clients/packages.php?id=1' to find vulnerable applications. The PoC for this vulnerability is 'http://www.example.com/clients/packages.php?id=-1'+UNION+ALL+SELECT+1,CONCAT(username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+adminusers%23
Mitigation:
Input validation should be used to prevent SQL injection attacks. The application should also be configured to use parameterized queries.
