| عنوان | cxbsoft Post-Office <=1.0 SQL Injection |
|---|
| الوصف | The Post-Office application, specifically version v1.0 or below, has been identified to contain a SQL Injection vulnerability within the /apps/reg_go.php file. The flaw was discovered by security researcher glzjin, who noted that the 'username_reg' parameter is improperly handled and directly concatenated into a SQL query, allowing for malicious SQL commands to be executed. By crafting a specially designed HTTP POST request, an attacker can exploit this vulnerability to manipulate the database, as demonstrated by the payload which induces a 5-second sleep, confirming the SQL injection point. The details of this vulnerability, including proof of concept, have been made available by the researcher on various platforms including the official software repository on GitHub and community forums. |
|---|
| المصدر | ⚠️ https://note.zhaoj.in/share/HUxa372VNwad |
|---|
| المستخدم | glzjin (UID 59815) |
|---|
| ارسال | 05/01/2024 06:03 AM (2 سنوات منذ) |
|---|
| الاعتدال | 14/01/2024 05:38 PM (9 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 250700 [CXBSoft Post-Office حتى 1.0 HTTP POST Request /apps/reg_go.php username_reg حقن SQL] |
|---|
| النقاط | 20 |
|---|