Computer Security

Security Advisory: 1-2-3 music store "AlbumID" Sql injection.
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)

  XSS in PBLang 4.65 Profile.php/UCP.php

  [SA17706] PHP-Post Cross-Site Scripting and Script Insertion Vulnerabilities

  [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities

  [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability

From:r0t <krustevs_(at)_googlemail.com>
Date:23.11.2005
Subject:1-2-3 music store "AlbumID" Sql injection.

1-2-3 music store "AlbumID" Sql injection.

Vuln. dicovered by : r0t
Date 23 nov. 2005
Orginal advisory:http://pridels.blogspot.com/2005/11/1-2-3-music-store-albumid-sql.html
Vendor:http://easybe.com/
affected version: 1.0 and prior

Product Description:
Description: 1-2-3 Music Store - the music download shop for musicians
and labels. Reasonably-priced software that lets you sell music
downloads worldwide and keep full control over your music.

Vuln. Description:
Input passed to the "AlbumID" parameter in "process.php" isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

greetings to : RaZbh,g0df4th3r,der4444,fredrau,cembo,g0df4th3r!!!
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru