Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

LI-countdown SQL Injection Vulnerability

From: sex () aaa-aaa net ru
Date: 12 Feb 2008 19:13:45 -0000
--------------------Summary---------------- 
Vendor: LI-Scripts 
Vendor's Web Site: http://www.liscripts.net 
Software: LI-countdown 
Sowtware's Web Site: http://www.liscripts.net/products.php#countdown
Critical Level: Moderate 
Type: SQL Injection 
Class: Remote 
Status: Unpatched 
PoC/Exploit: Not Available 
Solution: Not Available 
Discovered by: http://www.aaa-aaa.net.ru/

-----------------Description--------------- 
1. SQL Injection. 

Vulnerable script: countdown.php 

Parameter 'years' is not properly sanitized before being used in SQL 
query. This can be used to make SQL queries by injecting arbitrary SQL 
code. 

Condition: magic_quotes_gpc = off 

--------------PoC/Exploit---------------------- 
Waiting for developer(s) reply. 

--------------Solution--------------------- 
No Patch available. 

--------------Credit----------------------- 
Discovered by: http://aaa-aaa.net.ru/


Regards, 
sex () aaa-aaa net ru
http://www.aaa-aaa.net.ru/
Previous By Date Next
Previous By Thread Next

Current thread: