Release date: 2011-12-19
Updated on:
Affected Systems:
Sourceforge DotA OpenStats 1.3.9
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51110
Cve id: CVE-2011-5218
DotA OpenStats is a Web statistics and CMS site of DotA Games based on Php/MySql.
DotA OpenStats 1.3.9 and earlier versions have the SQL injection vulnerability. After successful exploitation, attackers can control applications, access or modify data, and exploit other vulnerabilities in lower-level databases.
<* Source: HvM17
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/dotaStats/index.php? Id = & amp; #39; 1 union select 1, 2, 3, 4
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Sourceforge
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://mod-security.svn.sourceforge.net