Bugtraq mailing list archives
Sql Injection in Confixx 3.06 & 3.08 & 3.?? ?
From: "Erich Klaus" <DR.erich () gmx net>
Date: Mon, 25 Apr 2005 14:54:20 +0200 (MEST)
Sql injection is possbile with reseller rights: i.e. it is possible to enter '# in the "change user" field. as result you get a list of all added users on the server. With a special malformed string it is possible to execute any sql command as confixx mysql user to the confixx database. Vendor was informed about over a month ago, while 3.06 was up to date. 3.08 was released, bug still exists. -- +++ GMX - die erste Adresse für Mail, Message, More +++ 10 GB Mailbox, 100 FreeSMS http://www.gmx.net/de/go/topmail
Current thread:
- Sql Injection in Confixx 3.06 & 3.08 & 3.?? ? Erich Klaus (Apr 25)