|
Feeds -
Exploits
|
|
Written by Osirys, x0r and S.W.A.T.
|
|
Wednesday, 04 March 2009 22:13 |
Multiple China-on-site.com Products Username and Password SQL Injection Vulnerabilities
-\\Bugtraq ID:
32810
-\\Class:
Input Validation Error
-\\CVE:
CVE-2008-6142
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Dec 14 2008 12:00AM
-\\Updated:
Mar 04 2009 07:46PM
-\\Credit:
Osirys, x0r and S.W.A.T.
-\\Vulnerable:
China-on-site.com FlexPHPSite 0.0.1
China-on-site.com FlexPHPNews Pro 0.0.6
China-on-site.com FlexPHPNews 0.0.6
China-on-site.com Flexphplink Pro 0.0.7
China-on-site.com Flexphplink Pro 0
China-on-site.com FlexPHPic Pro 0.0.3
China-on-site.com FlexPHPic 0.0.4
China-on-site.com FlexPHPDirectory 0.0.1
China-on-site.com Flexcustomer 0.0.6
-\\Discussion
Multiple China-on-site.com Products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected; other versions may also be affected:
FlexPHPNews 0.0.6
FlexPHPNews Pro 0.0.6
FlexPHPDirectory 0.0.1
FlexPHPSite 0.0.1
FlexPHPLink Pro 0.0.7
Flexcustomer 0.0.6
FlexPHPic 0.0.4
FlexPHPic Pro 0.0.3
-\\Exploit(s)/PoC(s):
Attackers can use a browser to exploit these issues.
The following example inputs are available:
username : ' or '1'='1
password : ' or '1'='1
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--FlexPHPNews Homepage
http://www.china-on-site.com/flexphpnews (FlexPHPNews)
--Vendor Homepage
http://china-on-site.co (China-on-site.com)
|
