Uzbey: SQL injection, time zoom script, tile ID

2014-06-22T21:52:40
ID H1:17227
Type hackerone
Reporter bitquark
Modified 2014-07-18T20:25:51

Description

The tile ID parameter to the tile zoom script is vulnerable to SQL injection.

The following will cause the script to run a benchmark, returning an error 8-10 seconds later:

https://staging.uzbey.com/zoom-image/BENCHMARK(10000000,SHA1(1))