Easy Fast Admin SQL Injection

2012.10.09

Credit: ANDREA BOCCHETTI

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Exploit Title:  Easy Fast Admin sql injection Vulnerability

Author: ANDREA BOCCHETTI

Security Risk : High - SQL Injection

download Link  Or Vendor Home: http://www.easyfastadmin.org

Affected versions:
All Cms version

Credits:
This vulnerability was discovered and researched by Andrea Bocchetti

Impact:
An attacker can execute SQL statements.

Vendor Status:
Vendor was contacted 

Timeline:
Vendor Notification - 04/10/2012
Vendor Response - nothing
Fix - no
Public Disclosure - 08/10/2012

Date: 08/10/2012

==================================
id  parametr is injectable

# Exploit : [SQL]

articoli.php?id [sql]
news.php?id [sql]

Demo : http://www.demo.com/news.php?id= sql
Demo : http://www.demo.com/articoli.php?id= sql
Demo : Demo : http://www.demo.com/xxx.php?id= sql

References:

http://www.easyfastadmin.org

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Easy Fast Admin SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.