DboardGear - uncorrect import themes (SQL-inject)

poizon_at_securityinfo.ru
Date: 10/25/05

  • Next message: Andrey Bayora: "Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through"
    Date: Tue, 25 Oct 2005 14:28:40 +0400 (MSD)
    To: bugtraq@securityfocus.com
    
    

    Hello all.
    I m check it:
    >>>>>>>>>>>>>>>>>>>
    DboardGear ..
    Search By Google :-
    by DboardGear
    Gr33tz :-
             aLMaSTeR HaCKeR .. SQL Injection's FOunder - | almaster <at>
    hotmail.com|-
             Security4Arab .. A'Where Home ..
    1- SQL Injection in buddy.php
    http://www.site.com/dboard/buddy.php?action=add&buddy=|aLMaSTeR
    2-SQL Injection in u2a.php
    http://www.site.com/dboard/u2u.php?action=view&u2uid=|aLMaSTeR
    Error:
    You have an error in your SQL syntax near '' at line 1
    >>>>>>>>>>>>>>>
    and find new bug in this board.
    SQL-inject available in /dboard/ctrtools.php?action=themes, when you try
    import incorrect (not valid) Theme File. I'm just try import text file
    with listing my home catalog, and i got it error:
    You have an error in your SQL syntax near ') VALUES)' at line 1

    I'm not authorizated on board.
    -------------------------------------------------------
    Sory for my english, it's not my primary language.
    ---------------------------------------------------------
    http://www.securityinfo.ru


  • Next message: Andrey Bayora: "Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through"

    Relevant Pages