Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web4835.htm

Fuse Talk
2nd Nov 2001 [SBWID-4835]

	Fuse Talk


	Fuse Talk


	Anthony Cole found following, about e-zonemedia\'s Fuse Talk,  which  is
	vulnerable  to  malicious  SQL.  Improper  form  sanitization  makes  it
	possible for any user to manipulate data as  (s)he  feels  fit.  On  the
	sign up form  (join.cfm)  is  possible  to  pass  a  well  crafted  form
	variable to the action template (it\'s the  same  template  subsequently
	join.cfm) that will execute malicious SQL. This is made possible by  not
	filtering the (;) semi-colon. Examine the following code:


	     1;delete from users





	     1;exec sp_addlogin \"OsamaBinLadenSucks\"




	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH