Nuked-Klan Index.PHP SQL Injection Vulnerability

Bugtraq ID:	17233
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 27 2006 12:00AM
Updated:	Mar 27 2006 10:14PM
Credit:	<[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	Nuked-Klan Nuked-Klan 1.7.5 Nuked-Klan Nuked-Klan 1.7 Nuked-Klan Nuked-Klan 1.5 SP2 Nuked-Klan Nuked-Klan 1.5 Nuked-Klan Nuked-Klan 1.4 Nuked-Klan Nuked-Klan 1.3 beta Nuked-Klan Nuked-Klan 1.3 Nuked-Klan Nuked-Klan 1.2 beta Nuked-Klan Nuked-Klan 1.2
Not Vulnerable:

Nuked-Klan Index.PHP SQL Injection Vulnerability

Nuked-Klan is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Nuked-Klan Index.PHP SQL Injection Vulnerability


This issue can be exploited through a web client.

The following proof of concept has been provided:

http://www.example.com/index.php?file=Calendar&m=[sql]&y=2006

Nuked-Klan Index.PHP SQL Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]

Nuked-Klan Index.PHP SQL Injection Vulnerability

References:

• Vendor Homepage (Nuked-Klan)
  
• nuked-klan<=1.7.5 SQL Injection ([email protected])