F-Secure
Tools
All In One Control Panel (AIOCP) "poll_id" SQL Injection
| Report ID: | SA32431 |
| Source: | Secunia |
| Date of Discovery: | 28.10.2008 |
| Criticality: | Moderate |
| Affects: | All In One Control Panel 1.x |
| Compromise From: | From remote |
| Compromise Type: | Manipulation of data |
Summary
A vulnerability in All In One Control Panel (AIOCP), which can be exploited by malicious people to conduct SQL injection attacks.
Detailed Description
A vulnerability in All In One Control Panel (AIOCP), which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "poll_id" parameter in public/code/cp_polls_results.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 1.4.001 and reported in version 1.4.000. Other versions may also be affected.
Input passed to the "poll_id" parameter in public/code/cp_polls_results.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 1.4.001 and reported in version 1.4.000. Other versions may also be affected.
Solution
Edit the source code to ensure that input is properly sanitised.