#120
New
SQL Injection in sort_direction parameter
Reported by Anonymous on Ajax Scaffold · 22/07/2008 16:27:22
- Assigned to:
- rrwhite
- Priority:
- Normal
- Status:
- New
- Category:
- None
- Version:
- None
Parameter sort_direction is not validated. It makes SQL Injection possible. Example values of sort_direction parameter:
1. asc, (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE 1=1)
2. asc, (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE 1=0)
In fist case we have 500 server error caused by mySQL error. In second – no error (query is valid). Changing 1=1 and 1=0 to other expression we have nice blind sql injection.
Attachments
No attachment has been uploaded, yet.
Loading comments...