header-logo
Suggest Exploit
vendor:
eFiction
by:
Unknown
7.5
CVSS
HIGH
SQL Injection, Remote File Upload, Cross Site Scripting (XSS)
89, 434, 79
CWE
Product Name: eFiction
Affected Version From: 1
Affected Version To: 2
Patch Exists: Unknown
Related CWE: Unknown
CPE: a:efiction:efiction
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

eFiction SQL Injection, Remote File Upload, and XSS Vulnerabilities

eFiction is vulnerable to SQL injection, remote file upload, and cross site scripting vulnerabilities. These vulnerabilities allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials. An example of the SQL injection exploit is the 'UNION SELECT' statement in the 'viewuser.php' page.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize user input to prevent SQL injection attacks, validate and restrict file uploads, and implement proper input validation and output encoding to prevent XSS attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15568/info
   
eFiction is prone to SQL injection, remote file upload, and cross site scripting vulnerabilities.
   
These vulnerabilities may allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials.
   
eFiction versions 1.0, 1.1 and 2.0 are reported to be vulnerable; other versions may also be affected. 

http://www.example.com/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*