Lucene search
Tien Tran Dinh1337DAY-ID-23163HistoryJan 21, 2015 - 12:00 a.m.
YourMembers Blind SQL Injection Vulnerability
2015-01-2100:00:00
Tien Tran Dinh
0day.today
19
0.002 Low
EPSS
Percentile
59.0%
Exploit for php platform in category web applications
Vulnerability title: Blind SQL Injection Vulnerability in YourMembers plugin
Vendor: YourMembers plugin
Product: https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
Affected version: Version 3, 29 June 2007 (https://github.com/YourMembers/yourmembers/blob/master/LICENSE)
Google dork: inurl:ym_download_id=
Fixed version: N/A
Reported by: Tien Tran Dinh - [emailΒ protected]
Details:
The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A
successful attack could allow an anonymous attacker to access information such as username and password hashes that are
stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:
GET /?ym_download_id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wfvt_2871549622=5434f2560126f; wpfront-notification-bar-landingpage=1; bp-activity-oldestpage=1;
__utma=9793911.1350365293.1412756050.1412756050.1412756050.1; __utmb=9793911.1.10.1412756050; __utmc=9793911;
__utmz=9793911.1412756050.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
all_RyDwsSBXVzZXJzGOTe_u0CDA-clickdesk_referrer=http%3A//www.google.com.vn/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26so
urce%3Dweb%26cd%3D1%26ved%3D0CB0QFjAA%26url%3Dhttp%253A%252F%252Fsdj
Connection: keep-alive
Vulnerable file: ym_trunk/includes/ym-download_functions.include.php
Vulnerable code: (Line: 313 -> 329)
function ym_get_download($id=false) {
global $wpdb, $ym_dl_db;
$row = new stdClass();
$row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user =
false;
if ($id) {
$sql = 'SELECT id, title, filename, postDate, members, user
FROM ' . $ym_dl_db . '
WHERE id = ' . $id;
$row = $wpdb->get_row($sql);
}
return $row;
}
# 0day.today [2018-02-19] #Related
prion
prion
Design/Logic Flaw
2015-01-13 11:59:00
Authentication flaw
2015-01-08 20:59:00
nvd
nvd
CVE-2014-10000
2015-01-13 11:59:00
CVE-2014-9583
2015-01-08 20:59:02
cve
cve
CVE-2014-10000
2015-01-13 11:59:00
CVE-2014-9583
2015-01-08 20:59:02
cvelist
cvelist
CVE-2014-10000
2015-01-13 11:00:00
CVE-2014-9583
2015-01-08 20:00:00