Py-Membres 4.x - 'Pass_done.php' SQL Injection

EDB-ID:

23061

CVE:

N/A

Author:

frog

Type:

webapps

Platform:

PHP

Published:

2003-08-26

source: http://www.securityfocus.com/bid/8500/info

A vulnerability has been reported for Py-Membres that allows remote attackers to modify the logic of SQL queries.

It has been reported that an input validation error exists in the pass_done.php file included with Py-Membres. Because of this, a remote attacker may launch SQL injection attacks through the software. 

http://www.example.com/pass_done.php?Submit=1&email='%20OR%203%20IN%20(1,2,3)%20INTO%20OUTFILE%20'/complete/path/file.txt