BID:13395

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

Info

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

Bugtraq ID:	13395
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 26 2005 12:00AM
Updated:	Apr 26 2005 12:00AM
Credit:	dcrab <[email protected]> is credited with the discovery of this issue.
Vulnerable:	MetaLinks MetaBID Auction

Not Vulnerable:

Discussion

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

A remote SQL injection vulnerability affects MetaBid Auctions. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in SQL queries.

An attacker may exploit this issue to manipulate SQL queries to the underlying database. This may facilitate the theft of sensitive information, potentially including authentication credentials, and data corruption.

Exploit / POC

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

No exploit is required to leverage this issue.

The following proof of concept is available:

http://example.com/metabid/item.asp?intAuctionID='SQL_INJECTION

Solution / Fix

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

MetaBid Auctions intAuctionID Parameter Remote SQL Injection Vulnerability

References:

MetaLinks Home Page (MetaLinks)
Multiple SQL Injections in MetaBid Auctions (dcrab )