-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection Vulnerability #26
Comments
That last url and a bunch of others are public and can be accessed without login. This is not a vulnerability, since you do not get access to the auth-table or the database. |
Ya I just recently checked in mobile that option is showing.
But in pc access to that login page so I thought of it as a bug.
…On Sun, Sep 18, 2022, 22:13 Jyotirmaya Shivottam ***@***.***> wrote:
That last url and a bunch of others
<https://github.com/sdgniser/arc/blob/e1b0985d202ab9899b850e5103d7978896e25219/main/urls.py#L10>
are public and can be accessed without login. This is not a vulnerability,
since you do not get access to the auth-table or the database.
—
Reply to this email directly, view it on GitHub
<#26 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/A3BS34G2XGUUIFMW3PNEEATV65BBJANCNFSM6AAAAAAQPQCT5M>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
This is not a vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While doing sql injection through sqlmap I found out that the IP address 10.0.2.35 (which is the ip address of NISER SDG) is somewhat vulnerable to sql injection for which I am able to get to a sensitive site.
And this link lead me to the NISER archive login page:
This is really sensitive and can be exploited easily if it is having Default/Weak password flaws
Even I just tried and reset somebody password but I dont know whether that mail exist or not.
If it really exist and the mail has been sent then I am really sorry. I was just checking.
Solution
Change the GET parameter to POST.
Secure the website code as it is vulnerable to SQL Injection.
The text was updated successfully, but these errors were encountered: