SQL Injection Vulnerabilities in All In One Control Panel

vendor:

All In One Control Panel

by:

Not mentioned

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: All In One Control Panel

Affected Version From: 1.3.2009

Affected Version To: 1.3.2009

Patch Exists: NO

Related CWE: Not mentioned

CPE: Not mentioned

Metasploit:

Other Scripts:

Platforms Tested: Not mentioned

Not mentioned

SQL Injection Vulnerabilities in All In One Control Panel

All In One Control Panel is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize user-supplied input before using it in SQL queries. Additionally, keeping the software up to date with the latest version will also help in reducing the risk of exploitation.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22032/info

All In One Control Panel is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

All In One Control Panel 1.3.009 and prior versions are vulnerable.

http://www.example.com/AIOCP/public/code/cp_downloads.php?did=[sql]

http://www.example.org/AIOCP/public/code/cp_downloads.php?did='+UNION+SELECT+NULL,NULL,NULL,NULL,user_id,NULL,NULL,user_name,NULL,user_password,NULL,NULL,NULL,NULL,NULL+FROM+aiocp_users+WHERE+user_name<>'Anonymous