| タイトル | cxbsoft Post-Office <=1.0 SQL Injection |
|---|
| 説明 | The Post-Office application, specifically version v1.0 or below, has been identified to contain a SQL Injection vulnerability within the /apps/reg_go.php file. The flaw was discovered by security researcher glzjin, who noted that the 'username_reg' parameter is improperly handled and directly concatenated into a SQL query, allowing for malicious SQL commands to be executed. By crafting a specially designed HTTP POST request, an attacker can exploit this vulnerability to manipulate the database, as demonstrated by the payload which induces a 5-second sleep, confirming the SQL injection point. The details of this vulnerability, including proof of concept, have been made available by the researcher on various platforms including the official software repository on GitHub and community forums. |
|---|
| ソース | ⚠️ https://note.zhaoj.in/share/HUxa372VNwad |
|---|
| ユーザー | glzjin (UID 59815) |
|---|
| 送信 | 2024年01月05日 06:03 (2 年 ago) |
|---|
| モデレーション | 2024年01月14日 17:38 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 250700 [CXBSoft Post-Office 迄 1.0 HTTP POST Request /apps/reg_go.php username_reg SQLインジェクション] |
|---|
| ポイント | 20 |
|---|