Akiva Webboard SQL Injection

2011.12.30
Credit: Alexander Fuchs
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Hey, this is my first time that i report a vulnerability to a mailing list. The problem on the Akiva Webboard is, that you can login as Administrator with admin'-- (SQL Injection) and if you go to the adminprofil you can see the Adminpasswort in the HTML code. The current version is 9. I do only know this issue and verified it with the UN DESA ( /Department of Economic and Social Affairs) webboard 8.x / http://esaconf.un.org/WB/Default.asp?LogIn=yes&action=7 <http://esaconf.un.org/WB/Default.asp?LogIn=yes&action=7>. I post this to the hacker news (he retweeted it) and some guys added "hacked by" in the signature... :| As usual i cant contact the right person on UN to fix this issue. What do you think about it? Kind regards, Alexander Fuchs


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top