MyTopix Sql Injection & Path Disclosure

2006.02.05
Credit: trueend5
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

KAPDA New advisory Vendor: http://www.jaia-interactive.com Vulnerable: Version: 1.2.3 Bug: Sql Injection & Path Disclosure Exploitation: Remote with browser Description: -------------------- MyTopix is a PHP-based message board system that uses a MySQL database. Vulnerability: -------------------- -Sql Injection : The software does not properly validate user-supplied input in 'search.php'. A remote user can create specially crafted parameter values that will execute SQL commands on the underlying database. HTTP Method: GET http://example.com/mytopix/index.php?a=search&CODE=02&mid=[SQL] HTTP Method: POST method="post" action="http://example.com/mytopix/index.php?a=search&CODE=01" name="keywords" value="kapda') AS topics_score FROM my_posts p LEFT JOIN my_topics t ON t.topics_id = p.posts_topic/*" -------------------- -Path Disclosure: There is no restriction to access the includes files directly.A remote user can supply a specially crafted URL to cause the system to display an error message that discloses the installation path. http://example.com/mytopix/modules/logon.mod.php + another Path Disclosure bug in highlight mode: http://example.com/mytopix/index.php?gettopic=10&hl=kapda') Solution: -------------------- There is no vendor supplied patch for this issue at this time. Original Advisories: -------------------- http://kapda.ir/advisory-249.html IN Farsi: http://irannetjob.com/content/view/195/28/ Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top