efiction 1.0/1.1/2.0 viewuser.php uid Parameter SQL Injection

2005-11-25T00:00:00
ID EDB-ID:26594
Type exploitdb
Reporter retrogod@aliceposta.it
Modified 2005-11-25T00:00:00

Description

efiction 1.0/1.1/2.0 viewuser.php uid Parameter SQL Injection. CVE-2005-4170 . Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/15568/info
   
eFiction is prone to SQL injection, remote file upload, and cross site scripting vulnerabilities.
   
These vulnerabilities may allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials.
   
eFiction versions 1.0, 1.1 and 2.0 are reported to be vulnerable; other versions may also be affected. 

http://www.example.com/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*