CVE-2007-2854
bti-tracker < 1.4.1 - SQL Injection via Style or Langue Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2007-2854. PoCs published by m@ge|ozz.
AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in BtiTracker <=v1.4.1, allowing an attacker to elevate privileges by manipulating the 'style' parameter in account_change.php. The PoC shows how to set the user's id_level to 8 (admin) via SQL injection.
Description
Multiple SQL injection vulnerabilities in account_change.php in BtiTracker 1.4.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) style or (2) langue parameter.
Exploits (1)
This exploit demonstrates a SQL injection vulnerability in BtiTracker <=v1.4.1, allowing an attacker to elevate privileges by manipulating the 'style' parameter in account_change.php. The PoC shows how to set the user's id_level to 8 (admin) via SQL injection.