[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] www.eVuln.com : "wsnuser" Cookie SQL Injection vulnerability in WSN Guest

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] www.eVuln.com : "wsnuser" Cookie SQL Injection vulnerability in WSN Guest
From: Aliaksandr Hartsuyeu <bt@xxxxxxxxx>
Date: Fri, 18 Feb 2011 10:36:19 +0200

www.eVuln.com advisory:
"wsnuser" Cookie SQL Injection vulnerability in WSN Guest

-----------Summary-----------
http://evuln.com/vulns/174/summary.html 

eVuln ID: EV0174
Software: WSN Guest
Vendor: n/a
Version: 1.24
Critical Level: medium
Type: SQL Injection
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )

--------Description--------
http://evuln.com/vulns/174/description.html 

SQL Injection in "wsnuser" Cookie
It is possible to inject arbitrary SQL query using "wsnuser" cookie
parameter in the "index.php" script.
Parameter "wsnuser" is used in SQL query without proper sanitation.

--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/174/exploit.html 

---------Solution----------
Not available

----------Credit-----------
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/penetration-test.html - website manual penetration
testing


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] from hbgary: stuxnet, WL attack, Psyop and Anonymous trackdown‏
Next by Date: Re: [Full-disclosure] (this thread is now about porn).‏
Previous by thread: Re: [Full-disclosure] [VIDEO] Insect Pro 2.0 - Exploit tool for remote control
Next by thread: [Full-disclosure] HBGary Mirrors?
Index(es):
- Date
- Thread