Home page logo

bugtraq logo Bugtraq mailing list archives

OrderSys <= 1.6.4 Sql Injection Vulnerabilities
From: muuratsalo experimental hack lab <muuratsalo () gmail com>
Date: Tue, 8 Nov 2011 19:31:10 +0100

Dear All,
I have found multiple sql injection vulnerabilities in OrderSys <= 1.6.4.
The vendor knows the vulnerabilities and he is fixing them as stated
in the enclosed advisory. (See also
Since the developer is currently patching the current release it is
possible that you can find in the software link different versions of
the same app (1.6.4).

advisory ------------------------------------------------------------------------
OrderSys <= 1.6.4 Sql Injection Vulnerabilities

author............: muuratsalo (Revshell.com)
contact...........: muuratsalo[at]gmail[dot]com
download..........: http://www.bioinformatics.org/phplabware/labwiki/index.php

[0x01] Vulnerability overview:

All versions of OrderSys <= 1.6.4 are affected by Sql injection vulnerabilities.
A valid account could be required to exploit the vulnerabilities.

[0x02] Disclosure timeline:

[04/11/2011] - Multiple sql injection vulnerabilities discovered and
reported to the vendor
[05/11/2011] - Multiple sql injection vulnerabilities fixed, OrderSys
1.6.4 released.
[05/11/2011] - OrderSys 1.6.4 is still vulnerable to some sql
injection vulnerabilities.
[05/11/2011] - The vendor is currently working on fixing the reported issues.
[06/11/2011] - Public disclosure

[0x03] Proof of Concept:


  By Date           By Thread  

Current thread:
  • OrderSys <= 1.6.4 Sql Injection Vulnerabilities muuratsalo experimental hack lab (Nov 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]