LI-countdown SQL Injection Vulnerability Feb 12 2008 07:13PM
sex aaa-aaa net ru
--------------------Summary----------------

Vendor: LI-Scripts

Vendor's Web Site: http://www.liscripts.net

Software: LI-countdown

Sowtware's Web Site: http://www.liscripts.net/products.php#countdown

Critical Level: Moderate

Type: SQL Injection

Class: Remote

Status: Unpatched

PoC/Exploit: Not Available

Solution: Not Available

Discovered by: http://www.aaa-aaa.net.ru/

-----------------Description---------------

1. SQL Injection.

Vulnerable script: countdown.php

Parameter 'years' is not properly sanitized before being used in SQL

query. This can be used to make SQL queries by injecting arbitrary SQL

code.

Condition: magic_quotes_gpc = off

--------------PoC/Exploit----------------------

Waiting for developer(s) reply.

--------------Solution---------------------

No Patch available.

--------------Credit-----------------------

Discovered by: http://aaa-aaa.net.ru/

Regards,

sex (at) aaa-aaa.net (dot) ru [email concealed]

http://www.aaa-aaa.net.ru/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus