Bug reports

 Top  Previous  Next

 

hmtoggle_plus1Bug ID: 001 - Subject: Maxtrade AIO contains a flaw that allows a remote SQL injection attacks

 

Type of reporting: Bug report

Version of Maxtrade AIO: v 1.0.1

Operating system: Linux, Ubuntu 6.06 Dapper, Up to date

Date: 30 April 2006

 

Description:

Maxtrade AIO contains a flaw that allows a remote sql injection attacks. Input passed to the "categori" and "stranica" parameter in "pocategories.php" isn't properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

 

Examples:

/pocategories.php?stranica=categories&categori=[SQL] /pocategories.php?stranica=[SQL]

 

Solution:

Sanitized 3 files. For can not be exploited to manipulate SQL queries by injecting arbitrary SQL code. Upgrade to "Maxtrade AIO" v1.0.3

 

STATUS: Fixed at 31April 2006

 

hmtoggle_plus1Bug ID: 002 - Subject: Not reported yet

 

Type of reporting: Bug report

Version of Maxtrade AIO:

Operating system:

Date:

 

Description:

 

 

Solution:

 

 

STATUS:

 

If you find some bug(s) or want to report, please contact us.