phpwebsite0101.txt

`TITLE:  
=====  
phpWebSite 0.10.1 Full SQL Injection  
  
SOFTWARE:  
==========  
phpWebSite 0.10.1 Full  
  
INFO:  
=====  
phpWebSite provides a complete web site content management system.  
  
DESCRIPTION:  
============  
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Here  
is an example:  
  
http://localhost/phpweb/index.php?module=[sql_injection]  
  
DB Error: syntax error  
SELECT show_block, block_title FROM mod_search WHERE  
module='[sql_injection]' [nativecode=1064 ** You have an error in your  
SQL syntax. Check the manual that corresponds to your MySQL server  
version for the right syntax to use near ''[sql_injection]'' at line  
1]  
  
PATCH:  
======  
A simple filter function will do or make the script to accept only  
a-b,A-B,0-9 characters  
  
VENDOR STATUS:  
===============  
The vendors were contacted but no response received.  
  
CREDITS:  
========  
This vulnerability was discovered and researched by   
matrix_killer of h4cky0u Security Forums.  
  
mail : matrix_k at abv.bg  
  
web : http://www.h4cky0u.org  
  
  
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!  
  
===========  
  
http://h4cky0u.org/viewtopic.php?t=1967  
--   
http://www.h4cky0u.org  
(In)Security at its best...  
`