PHPNews 1.2.x - 'auth.php' SQL Injection

EDB-ID:

26016


Author:

GHC

Type:

webapps


Platform:

PHP

Date:

2005-07-20


source: https://www.securityfocus.com/bid/14333/info

PHPNews is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.

This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. 

Navigate to the user logon form.

Enter the following string into the Username field:

anything' or '1'='1'/*

followed by any characters in the Password field.