Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: SQL injection vulnerability #26

Closed
cuhanboy opened this issue Dec 31, 2020 · 1 comment
Closed

Bug Report: SQL injection vulnerability #26

cuhanboy opened this issue Dec 31, 2020 · 1 comment

Comments

@cuhanboy
Copy link

Hi, @cskaza I found a high-risk time-based blind SQL injection vulnerability in the member function module.
http://website/member/edit)
image
the vulnerable code is on cszcms/models/csz_model.php
image
The vulnerability parameter is pm_sendmail.This parameter is passed to the database query without any filtering, resulting in a vulnerability.
image
All the data in the database can be obtained by using sqlmap.
image
@cskaza
Copy link
Owner

cskaza commented Nov 10, 2021

Resolved done on next version.

@cskaza cskaza closed this as completed Nov 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cskaza @cuhanboy