PHP Dir Submit Login SQL Injection Vulnerability

Posted on Monday, May 25, 2009 @ 15:21:45 CDT in Security
by Raven

SECUNIA ADVISORY ID: SA35125

VERIFY ADVISORY: http://secunia.com/advisories/35125/

Critical: Moderately Critical

DESCRIPTION: A vulnerability has been reported in PHP Dir Submit, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the username and password when logging in to the administrator panel is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

SOLUTION: Restrict access to the administrator panel (e.g. via ".htaccess").

PROVIDED AND/OR DISCOVERED BY: Snakespc

ORIGINAL ADVISORY: http://milw0rm.com/exploits/8710
 
 
Associated TopicsPHP