vendor:
Business Directory Script
by:
Hussin X
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Business Directory Script
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Business Directory Script (cid) Remote SQL Injection Vulnerability
An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The attacker can inject arbitrary SQL code in the vulnerable parameter 'cid' of the 'showcategory.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be used to disclose sensitive information from the database, modify data, or exploit further vulnerabilities in the underlying SQL server software.
Mitigation:
Input validation should be used to prevent SQL injection attacks. The application should also be configured to use the least privileged account with access to the database.