Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability
Title: Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability
Advisory ID: ZSL-2010-4949
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 14.08.2010
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
MySQL 4.0.15-log
PHP 4.3.3
[09.08.2010] Vendor contacted.
[13.08.2010] No response from vendor.
[14.08.2010] Public advisory released.
[2] http://www.0daynet.com/2010/0815/977.html
[3] http://securityreason.com/exploitalert/8711
[4] http://securityreason.com/wlb_show/WLB-2010080044
[5] http://packetstormsecurity.org/filedesc/ZSL-2010-4949.txt.html
[6] http://xforce.iss.net/xforce/xfdb/61149
[7] http://2fwww.secday.com/thread-26728-1-6.html
[15.08.2010] - Added reference [2]
[16.08.2010] - Added reference [3] and [4]
[17.08.2010] - Added reference [5] and [6]
[06.09.2010] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4949
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 14.08.2010
Summary
Content Management System (PHP+MySQL).Description
The CMS is vulnerable to an SQL Injection attack when input is passed to the "news_id" parameter. The script fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.--------------------------------------------------------------------------------
GET .../show_news.php?news_id=xx%27
1064 - You have an error in your SQL syntax. Check the manual that corresponds
to your MySQL server version for the right syntax to use near '\'' at line xx.
--------------------------------------------------------------------------------
Vendor
Athlete Web Services, Inc. / AWS Sports - http://www.athletewebservices.comAffected Version
1.1 and 2.0Tested On
Microsoft IIS 6.0MySQL 4.0.15-log
PHP 4.3.3
Vendor Status
[05.06.2010] Vulnerability discovered.[09.08.2010] Vendor contacted.
[13.08.2010] No response from vendor.
[14.08.2010] Public advisory released.
PoC
awscms_sql.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/exploits/14645/[2] http://www.0daynet.com/2010/0815/977.html
[3] http://securityreason.com/exploitalert/8711
[4] http://securityreason.com/wlb_show/WLB-2010080044
[5] http://packetstormsecurity.org/filedesc/ZSL-2010-4949.txt.html
[6] http://xforce.iss.net/xforce/xfdb/61149
[7] http://2fwww.secday.com/thread-26728-1-6.html
Changelog
[14.08.2010] - Initial release[15.08.2010] - Added reference [2]
[16.08.2010] - Added reference [3] and [4]
[17.08.2010] - Added reference [5] and [6]
[06.09.2010] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk