Description
Search filter on http://[server name]/[base path]/acp/acp.php?tn=user&sub=list allows user to inject malicious SQL sentence.
Fixed by using bind param.
Reproduce
Go to http://[server name]/[base path]/acp/acp.php?tn=user&sub=list
Input test') or 1=1 union select (select tbl_name from sqlite_master limit 1),2,3,4,5,6,7,8-- into Filter input field.
Hit return key
You can see the user which has ID:fc_user like below. fc_user is a result of select tbl_name from sqlite_master limit 1.
Description Search filter on
http://[server name]/[base path]/acp/acp.php?tn=user&sub=list
allows user to inject malicious SQL sentence. Fixed by using bind param.Reproduce
http://[server name]/[base path]/acp/acp.php?tn=user&sub=list
test') or 1=1 union select (select tbl_name from sqlite_master limit 1),2,3,4,5,6,7,8--
into Filter input field.ID:fc_user
like below.fc_user
is a result ofselect tbl_name from sqlite_master limit 1
.