vendor:
Freejokesscript
by:
MuhaciR
7.5
CVSS
HIGH
SQL Injection & Admin Bypass
89
CWE
Product Name: Freejokesscript
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:evernewscripts:freejokesscript
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
freejokesscript = 1.0 (joke-archives.php) remote sql injection vulnerability & admin bypass vulnerability
A vulnerability exists in freejokesscript = 1.0 (joke-archives.php) which allows an attacker to inject malicious SQL commands and bypass the admin authentication. The vulnerability is due to insufficient sanitization of user-supplied input in the 'cat_name' and 'cat_id' parameters of the 'joke-archives.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable script. Successful exploitation could result in unauthorized access to the application, disclosure of sensitive information, and other attacks.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to generate SQL commands that are executed. Additionally, authentication credentials should not be stored in plaintext.
