Mambo Open Source 4.5 - 'index.php' SQL Injection

EDB-ID:

23834


Author:

JeiAr

Type:

webapps


Platform:

PHP

Date:

2004-03-16


source: https://www.securityfocus.com/bid/9891/info

It has been reported that the Mambo 'index.php' script is prone to an SQL injection vulnerability. This issue is due to a failure of the application to properly validate user supplied URI input.

As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.

http://www.example.com/index.php?option=content&task=view&id=[SQL]&Itemid=[VID]
http://www.example.com/index.php?option=content&task=category&sectionid=[VID]&id=[SQL]&Itemid=[VID]
http://www.example.com/index.php?option=content&task=category&sectionid=[VID]&id=[SQL]&Itemid=[VID]