← Advisories

Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability

Critical
Advisory ID
ZSL-2010-4949
Release Date
14 August 2010
Vendor
Athlete Web Services, Inc. / AWS Sports - http://www.athletewebservices.com
Affected Version
1.1 and 2.0
CVE
N/A
Tested On
Microsoft IIS 6.0, MySQL 4.0.15-log, PHP 4.3.3
Summary

Content Management System (PHP+MySQL).

Description

The CMS is vulnerable to an SQL Injection attack when input is passed to the "news_id" parameter. The script fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.

GET .../show_news.php?news_id=xx%27 1064 - You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line xx.
Proof of Concept
awscms_sql.txtTXT
Disclosure Timeline
05.06.2010Vulnerability discovered.
09.08.2010Vendor contacted.
13.08.2010No response from vendor.
14.08.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/14645/
[2]http://www.0daynet.com/2010/0815/977.html
[3]http://securityreason.com/exploitalert/8711
[4]http://securityreason.com/wlb_show/WLB-2010080044
[5]http://packetstormsecurity.org/filedesc/ZSL-2010-4949.txt.html
[6]http://xforce.iss.net/xforce/xfdb/61149
[7]http://2fwww.secday.com/thread-26728-1-6.html
Changelog
14.08.2010Initial release
15.08.2010Added reference [2]
16.08.2010Added reference [3] and [4]
17.08.2010Added reference [5] and [6]
06.09.2010Added reference [7]