Uploaded image for project: 'Newscoop'
  1. Newscoop
  2. CS-4181

SQL Injection in Newscoop (htbridge.com)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.5.3, 4.0 RC3
    • Fix Version/s: 4.0 RC4
    • Component/s: None
    • Labels:
      None
    • Originating Party:
      Experts

      Description

      2) SQL Injection in Newscoop

      2.1 Input passed via the "f_country_code" GET parameter to
      /admin/country/edit.php is not properly sanitised before being used in
      SQL query.
      This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

      The following PoC (Proof of Concept) demonstrates the vulnerability:

      http://[host]/admin/country/edit.php?f_country_code=%27%20union%20select%201,2,version%28%29%20--%202

        Attachments

          Activity

            People

            • Assignee:
              ofir.gal Ofir Gal
              Reporter:
              ofir.gal Ofir Gal
              Implemented by:
              Petr Jasek
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Potential Duplicates