| Titel | chaitak-gorai blogbook latest version as of 2025/05/22 SQL Injection |
|---|
| Beschreibung | The BlogBook application is vulnerable to SQL injection in its post deletion mechanism. When a delete GET parameter is supplied, its value is used unsanitized in two separate DELETE SQL queries: one targeting the posts table and another targeting the comments table based on the same post_id. This allows an attacker (potentially requiring administrative privileges) to inject malicious SQL. A crafted payload, such as one evaluating to a universally true condition (e.g., 1 OR 1=1), can bypass the intended single-post deletion and result in the deletion of all entries in both the posts and comments tables, causing significant data integrity and availability issues. |
|---|
| Quelle | ⚠️ https://github.com/rllvusgnzm98/Report/blob/main/blogbook/BlogBook%20posts.php%20delete_post%20delete%20Parameter%20SQL%20Injection.md |
|---|
| Benutzer | bpy9ft (UID 85221) |
|---|
| Einreichung | 22.05.2025 08:26 (vor 1 Jahr) |
|---|
| Moderieren | 31.05.2025 18:13 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 310743 [chaitak-gorai Blogbook bis 92f5cf90f8a7e6566b576fe0952e14e1c6736513 GET Parameter view_all_posts.php post_id SQL Injection] |
|---|
| Punkte | 20 |
|---|