From: predej deja <m4ilinglists@gmail.com>
To: cert@cert.org, osvdb <moderators@osvdb.org>, secunia <vuln@secunia.com>, securityfocus <listadmin@securityfocus.com>
Date: Tue, 28 Mar 2006 18:23:50 +0200
Subject: [OSVDB Mods] OneOrZero 1.4x - Sql Injection
OneOrZero 1.4x - Sql Injection

Vendor URL: http://helpdesk.oneorzero.com/

Description:

Input passes to the 'id' parameter in index.php
is not correctly validated. Which allows attackers to run sql queries.

Poc:

http://justrw.net/help/index.php?t=kbase&act=kans&id=22%27

Result:

You have an error in your SQL syntax. Check the manual that corresponds to
your MySQL server version for the right syntax to use near '\'' at line 1



Preddy
RootShell Security Group
www.rootshell-security.net