PostNuke ContentExpress Module Blind Sql Injection Vulnerability

2010-03-17T00:00:00
ID 1337DAY-ID-9705
Type zdt
Reporter Ali Abbasi
Modified 2010-03-17T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================================
PostNuke ContentExpress Module Blind Sql Injection Vulnerability
================================================================

# Date: 17/03/2010
# Software Link: http://sourceforge.net/projects/pn-formexpress/
# Version: 0.3.2
####################################################################
PostNuke ContentExpress Module Blind Sql Injection
Reported by Sharif University of Technology CSIRT
Vulnerability Analysis and Penetration Testing Group
cert.sharif.edu , nsc.sharif.edu
####################################################################
 
===[ POC ]===
Vulnerability occurred in form_id parameter of FormExpress Component in Postnuke
/index.php?module=FormExpress&func=display_form&form_id=1'
The Attacker could read content of the database via blind sql injection methods (like ascii(substring))
####################################################################
 
-----
Ali Abbasi



#  0day.today [2018-04-13]  #