The Uploader 'username' Parameter SQL Injection Vulnerability
BID:52156
Info
The Uploader 'username' Parameter SQL Injection Vulnerability
| Bugtraq ID: | 52156 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-2944 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 24 2012 12:00AM |
| Updated: | Mar 19 2015 08:20AM |
| Credit: | Danny Moules |
| Vulnerable: |
The Uploader The Uploader 2.0.4 |
| Not Vulnerable: |
The Uploader The Uploader 2.0.5 |
Discussion
The Uploader 'username' Parameter SQL Injection Vulnerability
The Uploader is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Uploader versions prior to 2.0.5 are affected.
The Uploader is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Uploader versions prior to 2.0.5 are affected.
Exploit / POC
The Uploader 'username' Parameter SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following exploit is available:
Attackers can use a browser to exploit this issue.
The following exploit is available:
Solution / Fix
The Uploader 'username' Parameter SQL Injection Vulnerability
Solution:
Vendor update is available. Please see the references for more information.
Solution:
Vendor update is available. Please see the references for more information.
References
The Uploader 'username' Parameter SQL Injection Vulnerability
References:
References:
- The Uploader Project Page (SourceForge)