TutorialMS v1.4 (show) Remote SQL Injection Vulnerability

Title: TutorialMS v1.4 (show) Remote SQL Injection Vulnerability
Advisory ID: ZSL-2011-5007
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 05.04.2011
Summary
TutorialMS is a free content management system, developed specifically for tutorial pages. It is written in PHP and uses MySQL as a database. TutorialMS offers all the usual features you need to build quick and easy your own tutorial page, without great programming knowledge.
Description
Input passed via the 'show' parameter to the 'includes/classes/tutorial.php' script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
TutorialMS.com - http://www.tutorialms.com
Affected Version
1.4
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
tutorialms_sql.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17123/
[2] http://www.securityfocus.com/bid/47178
[3] http://packetstormsecurity.org/files/100113
[4] http://secunia.com/advisories/44000/
[5] http://www.1337day.com/exploits/15792
[6] http://securityreason.com/wlb_show/WLB-2011040037
[7] http://securityreason.com/exploitalert/10292
[8] http://xforce.iss.net/xforce/xfdb/66577
[9] http://osvdb.org/show/osvdb/71562
Changelog
[05.04.2011] - Initial release
[06.04.2011] - Added reference [1], [2], [3], [4] and [5]
[07.04.2011] - Added reference [6], [7] and [8]
[13.04.2011] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk