I found a SQL injection in the variable "ANN_id" on your phpWebSite.
index.php?module=announce&ANN_user_op=view&ANN_id='[SQL injection HERE]
Solution? Filter out the variable
Keep up the good work...
David Sopas Ferreira ceo@systemsecure.org
Logged In: YES user_id=783140
This has now been fixed in CVS. I tested our other modules to see if they had this problem and found that notes also needed to be fixed. The id passed in is now being checked to make sure it is numeric.
Changed Files: mod/announcements/index.php mod/notes/index.php
Thanks, Darren
Log in to post a comment.
Logged In: YES
user_id=783140
This has now been fixed in CVS. I tested our other modules
to see if they had this problem and found that notes also
needed to be fixed. The id passed in is now being checked
to make sure it is numeric.
Changed Files:
mod/announcements/index.php
mod/notes/index.php
Thanks,
Darren