Jamit Job Board 2.4.x SQL inj.

Type securityvulns
Reporter Securityvulns
Modified 2005-12-14T00:00:00


Jamit Job Board 2.4.x SQL inj.

Vuln. dicovered by : r0t Date: 14 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/jamit-job-board-24x-sql-inj.html vendor:http://www.jamit.com.au/ affected version:2.4.1 and prior

Product Description:

Job Board Pro is a PHP application for running and managing a jobs portal website. It is written in PHP and supported by a MySQL database. It is a complete script for those that want to run a professional Job Board website, with all the features that you would expect and simple and easy to navigate and use. The Job Board script was designed by applying many of the principles learned from the study of Human-Computer Interaction (HCI). Features includes Employer's area, Job Seeker's area, Email alerts, Job Search, Online resume, Multi-lingual, Dynamic Forms, Billing system for subscriptions & posting credits (integrated with PayPal IPN), and more.

Vuln. Description:

Job Board Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "cat" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example: /index.php?cat=[SqL]

Solution: Edit the source code to ensure that input is properly sanitised.