Datenator 0.3.0 (event.php id) SQL Injection

vendor:

Datenator 0.3.0

by:

The_HuliGun

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Datenator 0.3.0

Affected Version From: 0.3.0

Affected Version To: 0.3.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Datenator 0.3.0 (event.php id) SQL Injection

Datenator 0.3.0 is vulnerable to SQL Injection due to the lack of input validation on the 'id' parameter in the 'event.php' file. An attacker can exploit this vulnerability by sending a malicious SQL query to the 'event.php' file via the 'id' parameter. This can allow the attacker to gain access to sensitive information from the database.

Mitigation:

Input validation should be implemented on the 'id' parameter in the 'event.php' file to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Datenator 0.3.0 (event.php id) SQL Injection
# Date: 26.12.09
# Author: The_HuliGun

# Look on code in event.php: 
 
22: if(isset($_GET['id'])) 
23: {
24: 	$event = $datenator->read_event_info($_GET['id']);

# Function read_event_info() is in file includes/functions.php 

412: function read_event_info($event_id)
413:	{
414:		$sql = "SELECT * FROM 
415:		".$this->getConfig('db_tableprefix')."events,
416:		".$this->getConfig('db_tableprefix')."events_repeat 
417:		WHERE 
418:		".$this->getConfig('db_tableprefix')."events.event_id = ".$this->prepare_sql($event_id)." and  
419:		".$this->getConfig('db_tableprefix')."events_repeat.repeat_event_id = ".$this->prepare_sql($event_id)."";
420:
421:		$event_data=$this->db->Execute($sql);
422:
423:		if($event_data) {
424:			return $event_data;
                        ... 

# As you can see variable id is not filtered, so, we can use such exploit with any php settings:

http://[targethost]/[path]/event.php?id=[SQL]

# Bug discovered by The_HuliGun

# Greetz to: NaTka, hope you'll find yourself ;>

# See u soon!