[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LI-countdown SQL Injection Vulnerability

Vendor: LI-Scripts 
Vendor's Web Site: http://www.liscripts.net 
Software: LI-countdown 
Sowtware's Web Site: http://www.liscripts.net/products.php#countdown
Critical Level: Moderate 
Type: SQL Injection 
Class: Remote 
Status: Unpatched 
PoC/Exploit: Not Available 
Solution: Not Available 
Discovered by: http://www.aaa-aaa.net.ru/

1. SQL Injection. 

Vulnerable script: countdown.php 

Parameter 'years' is not properly sanitized before being used in SQL 
query. This can be used to make SQL queries by injecting arbitrary SQL 

Condition: magic_quotes_gpc = off 

Waiting for developer(s) reply. 

No Patch available. 

Discovered by: http://aaa-aaa.net.ru/