Aspmforum [ multiples injection sql (get&post)]

2006.12.06
Credit: laurent gaffi & benjamin moss
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-6270
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

vendor site:http://www.kervancilar.com/ product:Aspmforum bug:injection sql (get & post) risk:high injection sql get : /forum.asp?baslik='[sql] /forum2.asp?baslik=2&soruid='[sql] /kullanicilistesi.asp?ak=&at=&harf='[sql] /kullanicilistesi.asp?at=baslayan&ak='[sql] once logged : /mesajkutum.asp?eylem=oku&mesajno='[sql] //private message injection sql post: in : /aramayap.asp Variables: kelimeler='[sql] or just post your query into the search engine ... in : /giris.asp Variables: kullaniciadi='[sql]&parola=&I1.x=0&I1.y=0&I1=Submit or just post your query into the username field laurent gaffi & benjamin moss http://s-a-p.ca/ contact: saps.audit (at) gmail (dot) com [email concealed]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top