The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


LI-Guestbook SQL Injection Vulnerability


<< Previous INDEX Search src / Print Next >> 
Date: Mon, 5 Mar 2007 18:37:15 +0200 (EET)
Subject: LI-Guestbook SQL Injection Vulnerability
From: [email protected]
To: [email protected]
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hspc.xpromt.net
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [517 506] / [47 12]
X-AntiAbuse: Sender Address Domain - belsec.com
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php 
X-Source-Dir: :/base/3rdparty/squirrelmail/src
X-Virus-Scanned: antivirus-gw at tyumen.ru

New Advisory:
LI-Guestbook SQL Injection Vulnerability
http://belsec.com/advisories/139/summary.html

--------------------Summary----------------
Belsec ID: BS0001
Vendor: LI-Scripts
Vendor's Web Site: http://www.liscripts.net
Software: LI-Guestbook
Sowtware's Web Site: http://www.liscripts.net/products.php#guestbook
Versions: 1.1
Critical Level: Moderate
Type: SQL Injection
Class: Remote
Status: Unpatched
PoC/Exploit: Not Available
Solution: Not Available
Discovered by: Belsec Team

-----------------Description---------------
1. SQL Injection.

Vulnerable script: guestbook.php

Parameter 'country' is not properly sanitized before being used in SQL
query. This can be used to make SQL queries by injecting arbitrary SQL
code.

Condition: magic_quotes_gpc = off

--------------PoC/Exploit----------------------
Waiting for developer(s) reply.

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Belsec Team


Regards,
Belsec Team
http://belsec.com

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру