Home page logo

bugtraq logo Bugtraq mailing list archives

NeoInvoice Blind SQL Injection (CVE-2012-3477)
From: Adam Caudill <adam () adamcaudill com>
Date: Sun, 12 Aug 2012 13:32:03 -0400

NeoInvoice is a multi-tenant open source invoicing system, that
currently contains an unauthenticated blind SQL injection condition in
signup_check.php. The input for the value field isn't being properly
sanitized, and is used in string concatenation to create the SQL

See here for the offending code:


Proof of concept:


I've alerted the author but haven't heard back.

More Info: http://adamcaudill.com/2012/08/12/neoinvoice-blind-sql-injection-cve-2012-3477/
Project: https://github.com/tlhunter/neoinvoice

--Adam Caudill

  By Date           By Thread  

Current thread:
  • NeoInvoice Blind SQL Injection (CVE-2012-3477) Adam Caudill (Aug 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]