Kubelance SQL Injection

vendor:

Kubelance

by:

L0rd CrusAd3r aka VSN

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Kubelance

Affected Version From: 1.7.6

Affected Version To: 1.7.6

Patch Exists: NO

Related CWE: N/A

CPE: kubelabs:kubelance

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Kubelance is a web-based software that allows users to create and bid on projects with an integrated Escrow system. It comes with 10 templates for users to choose from and supports multiple languages. It also has a powerful Admin panel for controlling the site and a plugin payment system for additional payment methods. However, it is vulnerable to SQL Injection attacks.

Mitigation:

Input validation and sanitization should be used to prevent SQL Injection attacks. Additionally, web application firewalls can be used to detect and block malicious requests.

Source

Exploit-DB raw data:

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:Kubelance SQL Injection
Vendor url:http://www.kubelabs.com
Version:1.7.6
Price:90$
Published: 2010-06-19
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to
all ICW members.
Spl Greetz to:inj3ct0r.com Team, Andhra hackers.com

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:

Full Source Code

When you purchase Kubelance you receive the full open source code allowing
you to edit the software in any way you require.

Installation

Kubelance uses a simple wizard installations making it very easy to install
but if you want our support team will install it for you free of charge.

Escrow

Kubelance features an integrated Escrow system that allow users to create
and bid on projects with peace of mind that they will receive the correct
amount for their endeavors.

Templates

Kubelance comes with 10 templates for you to choose from, each template
comes packaged with the photoshop file so you can edit the logo, buttons,
etc. Kubelance uses easy to edit html template files so creating your own
unique template couldn't be easier.

Languages

Kubelance currently supports English, German, French, Spanish, Italian and
Norwegian. The default Language can be quickly and easily changed from the
admin area.

If your required language is not currently supported it is very simple for
you to translate it by creating a new language file. Individual users of the
site can also select their required language from the manage account page.

Upgrades

The kubelabs support team is constantly working on bringing new features to
Kubelance, clients are entitled to one year of free updates.

Admin

Kubelance uses a powerful Admin panel for controlling your site.

Payment

Plugin payment system (allows for additional payment methods to be installed
easily)
Charge a fee for each project and job
Supports Paypal, NoChex, Money Bookers and egold.

Additional features

1 year of support via email
Private Messaging.
Allows buyer and provider to discuss projects.
No need to setup a cronjob.
Custom Fields, Collect extra data for projects and accounts.
Attach files to projects and bids.

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

Vulnerability:

*SQLi Vulnerability

DEMO URL :

http://server/kubelance/profile.php?id=[sql]

# 0day n0 m0re #
# L0rd CrusAd3r #