Wednesday 28 September 2011

phpMiniAdmin 1.7 vulnerable to SQL Injection and more...

Today I finished 'version 4' of one of my python project: a PHP source code scanner.
I decided to run it against some simple web application.
Found one of course at sourceforge.net : phpMiniAdmin (1.7.110429).

For a few seconds program found few interesting possiblility of vulnerabilities existing in scanned php.
One from the list is possible SQL Injection attack:

--- cut phpminiadmin.php ---
130 function do_sql($q){
--- cut ---

So for a quick-test, type for $q= some'thing, and see whats happen?
http://localhost//phpminiadmin.php?XSS=4F4B12d3aEBa4ba&q=%'hereissql

Other one is unpropper validation of the same parameter ($q), but this time, is XSS:

I know this web application isnt something like Fusion CMS or ect... Im just happy, the code is working;)

No comments:

Post a Comment

What do You think...?