Vulnerability CVE-2008-6484


Published: 2009-03-18   Modified: 2012-02-12

Description:
SQL injection vulnerability in login.php in Mole Group Taxi Map Script (aka Taxi Calc Dist Script) allows remote attackers to execute arbitrary SQL commands via the user field.

See advisories in our WLB2 database:
Topic
Author
Date
High
Mole Group Taxi Calc Dist Script (Auth Bypass) SQL Injection Vuln
Cyb3r-1sT
20.03.2009

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: Mole-group
Product: Taxi calc dist script 

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.milw0rm.com/exploits/7010
http://www.securityfocus.com/bid/32140
https://exchange.xforce.ibmcloud.com/vulnerabilities/46382

Related CVE
CVE-2009-4673
SQL injection vulnerability in profile.php in Mole Group Adult Portal Script allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
CVE-2009-4674
admin/admin.php in Mole Group Sky Hunter Airline Ticket Sale Script and Bus Ticket Script allows remote attackers to change an arbitrary password via a modified user_id field.
CVE-2009-4675
admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant Directory) Script does not require administrative authentication, which allows remote attackers to change the admin password via an unspecified form submission.
CVE-2008-6817
Mole Group Lastminute Script 4.0 and earlier stores passwords in cleartext, which allows context-dependent attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third par...
CVE-2008-6818
Mole Group Real Estate Script 1.1 and earlier stores passwords in cleartext, which allows context-dependent attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third pa...
CVE-2008-6225
** DISPUTED ** SQL injection vulnerability in info.php in Mole Group Airline Ticket Sale Script allows remote attackers to execute arbitrary SQL commands via the flight parameter. NOTE: the vendor has disputed this issue, stating "crazy hackers and...

Copyright 2019, cxsecurity.com

 

Back to Top