SQL Injection in FAQMasterFlex

vendor:

FAQMasterFlex

by:

cyb3r.anbu

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: FAQMasterFlex

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: NO

Related CWE: N/A

CPE: FAQMasterFlex

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu

2020

SQL Injection in FAQMasterFlex

A SQL Injection vulnerability was found in FAQMasterFlex, a software used as one of Fantastico auto-install software package in F.A.Q software section. The vulnerability exists in the faq.php file, where user input is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious SQL query in the 'cat_name' and 'category_id' parameters.

Mitigation:

Input validation should be used to prevent SQL Injection attacks. All user-supplied input should be validated and filtered before being used in a SQL query.

Source

Exploit-DB raw data:

Hi guys, I just found a sqli bug on FAQMasterFlex. Since the software used
as one of Fantastico auto-install software package in F.A.Q software
section.
# Author: [cyb3r.anbu]
# Software Link: [http://www.lethalpenguin.net/design/faqmasterflex.php]
# Version: [1.2]
# Tested on: [Ubuntu]

thx:modpr0be,oebaj,bpdp,wamika crew-

Bugs found on faq.php :
--snip--
<p><a href="<?php echo
"$_SERVER[PHP_SELF]?print=true&cat_name=$cat_name&category_id=$category_id"
?>">Print FAQs</a></p>
    <table width="100%" border="0" cellpadding="8" cellspacing="0">
        <?php
                include "faq_config.php";
                $result = mysql_query("SELECT * FROM faqs WHERE category_id
= '$category_id'") or die(mysql_error());
                while ($row = mysql_fetch_array($result)) {
--snip

PoC:
http://victim/FAQMasterFlex/faq.php?print=true&cat_name=cinema&category_id=[validid][SQL
Injection]

thanks for your attention,

regrads,
cyb3r.anbu