deV!Lz Clanportal Show Parameter SQL Injection Vulnerability

Bugtraq ID:	21391
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 01 2006 12:00AM
Updated:	Dec 02 2006 01:24AM
Credit:	Tim Weber is credited with the discovery of this vulnerability.
Vulnerable:	deV!Lz Clanportal deV!Lz Clanportal 1.3.6
Not Vulnerable:	deV!Lz Clanportal deV!Lz Clanportal 1.3.6 .1

deV!Lz Clanportal Show Parameter SQL Injection Vulnerability

deV!Lz Clanportal is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

This issue affects version 1.3.6; other versions may also be vulnerable.

deV!Lz Clanportal Show Parameter SQL Injection Vulnerability

Attackers can exploit this issue via a web client.

The following proof-of-concept URI is available:

http://www.example.com/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel\',+level%3d4,+waffe%3d\'SQL+Injection',+2,+3,+'

deV!Lz Clanportal Show Parameter SQL Injection Vulnerability

Solution:
The vendor has released version 1.3.6.1 to address this issue.


deV!Lz Clanportal deV!Lz Clanportal 1.3.6

• deV!Lz Clanportal hotfix_1.3.6.1.rar
  http://www.dzcp.de/downloads/index.php?action=getfile&id=106

deV!Lz Clanportal Show Parameter SQL Injection Vulnerability

References:

• deV!Lz Clanportal Homepage (deV!Lz Clanportal)
  
• deV!L`z Clanportal - SQL Injection [061124a] (Tim Weber)