| Title | cxbsoft Post-Office <=1.0 SQL Injection |
|---|
| Description | The Post-Office application, specifically version v1.0 or below, has been identified to contain a SQL Injection vulnerability within the /apps/reg_go.php file. The flaw was discovered by security researcher glzjin, who noted that the 'username_reg' parameter is improperly handled and directly concatenated into a SQL query, allowing for malicious SQL commands to be executed. By crafting a specially designed HTTP POST request, an attacker can exploit this vulnerability to manipulate the database, as demonstrated by the payload which induces a 5-second sleep, confirming the SQL injection point. The details of this vulnerability, including proof of concept, have been made available by the researcher on various platforms including the official software repository on GitHub and community forums. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/HUxa372VNwad |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 01/05/2024 06:03 (2 years ago) |
|---|
| Moderation | 01/14/2024 17:38 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 250700 [CXBSoft Post-Office up to 1.0 HTTP POST Request /apps/reg_go.php username_reg sql injection] |
|---|
| Points | 20 |
|---|