FileLister SQL inj. vuln.

2005-12-05T00:00:00
ID SECURITYVULNS:DOC:10527
Type securityvulns
Reporter Securityvulns
Modified 2005-12-05T00:00:00

Description

FileLister SQL inj. vuln. Vuln. dicovered by : r0t Date: 5 dec. 2005 Orginal advisory:http://pridels.blogspot.com/2005/12/filelister-sql-inj-vuln.html vendor:http://www.alltimeflashdreamer.org/filelister/doc/ affected version:0.51 and prior

Product Description: FileLister is a filesystem indexing tool with a web based frontend. Running platformindependently in a web environment, its goal is to easily find files in large archives, using a rich set of search configuration options. Additionally, you may download single files or even create and download zip files on the fly from the results of your search.

Vuln. description: Input passed to the search parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution: Edit the source code to ensure that input is properly sanitised.