CVE-2010-4612
Hycus CMS 1.0.3 - SQL Injection via user_name, usr_email, useremail, or q Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2010-4612. PoCs published by High-Tech Bridge SA.
AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Hycus CMS 1.0.3, including Local File Inclusion (LFI) via the 'site' parameter and SQL Injection (SQLi) via multiple input fields such as 'useremail', 'q', 'user_name', and 'usr_email'. The PoC provides clear examples of how to exploit these vulnerabilities.
Description
Multiple SQL injection vulnerabilities in index.php in Hycus CMS 1.0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user_name and (2) usr_email parameters to user/1/hregister.html, (3) usr_email parameter to user/1/hlogin.html, (4) useremail parameter to user/1/forgotpass.html, and the (5) q parameter to search/1.html. NOTE: some of these details are obtained from third party information.
Exploits (1)
The exploit demonstrates multiple vulnerabilities in Hycus CMS 1.0.3, including Local File Inclusion (LFI) via the 'site' parameter and SQL Injection (SQLi) via multiple input fields such as 'useremail', 'q', 'user_name', and 'usr_email'. The PoC provides clear examples of how to exploit these vulnerabilities.