CVE-2006-3662

ATutor 1.5.3 - SQL Injection via fid Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-3662. PoCs published by securityconnection.

AI-analyzed exploit summary This exploit demonstrates multiple input-validation vulnerabilities in ATutor, including XSS and SQL injection. It provides example URLs and POST requests to trigger these vulnerabilities.

Description

SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the relevant source code suggests that this issue may be legitimate, and the parameter is cleansed in 1.5.3.1

Exploits (1)

exploitdb WORKING POC VERIFIED

by securityconnection · textwebappsphp

https://www.exploit-db.com/exploits/28192

View Code ZIP pw:eip

This exploit demonstrates multiple input-validation vulnerabilities in ATutor, including XSS and SQL injection. It provides example URLs and POST requests to trigger these vulnerabilities.

Classification

Working Poc 90%

Attack Type

Xss | Sqli

Complexity

Trivial

Reliability

Reliable

Target: ATutor (version not specified)

No auth needed

Prerequisites: Access to the target ATutor application

MITRE ATT&CK