TITLE:
=====
phpWebSite 0.10.1 Full SQL Injection

SOFTWARE:
==========
phpWebSite 0.10.1 Full

INFO:
=====
phpWebSite provides a complete web site content management system.

DESCRIPTION:
============
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Here
is an example:

http://localhost/phpweb/index.php?module=[sql_injection]

DB Error: syntax error
SELECT show_block, block_title FROM mod_search WHERE
module='[sql_injection]' [nativecode=1064 ** You have an error in your
SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near ''[sql_injection]'' at line
1]

PATCH:
======
A simple filter function will do or make the script to accept only
a-b,A-B,0-9 characters

VENDOR STATUS:
===============
The vendors were contacted but no response received.

CREDITS:
========
This vulnerability was discovered and researched by 
matrix_killer of  h4cky0u Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org
                                  

Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!

===========

http://h4cky0u.org/viewtopic.php?t=1967
-- 
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/