| Title | chaitak-gorai blogbook latest version as of 2025/05/22 SQL Injection |
|---|
| Description | The BlogBook application is vulnerable to SQL injection in its post deletion mechanism. When a delete GET parameter is supplied, its value is used unsanitized in two separate DELETE SQL queries: one targeting the posts table and another targeting the comments table based on the same post_id. This allows an attacker (potentially requiring administrative privileges) to inject malicious SQL. A crafted payload, such as one evaluating to a universally true condition (e.g., 1 OR 1=1), can bypass the intended single-post deletion and result in the deletion of all entries in both the posts and comments tables, causing significant data integrity and availability issues. |
|---|
| Source | ⚠️ https://github.com/rllvusgnzm98/Report/blob/main/blogbook/BlogBook%20posts.php%20delete_post%20delete%20Parameter%20SQL%20Injection.md |
|---|
| User | bpy9ft (UID 85221) |
|---|
| Submission | 05/22/2025 08:26 (1 Year ago) |
|---|
| Moderation | 05/31/2025 18:13 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310743 [chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513 GET Parameter view_all_posts.php post_id sql injection] |
|---|
| Points | 20 |
|---|