TUCoPS :: Web :: Specific Sites :: b06-2299.htm

Myspace Friend Train v2.8
Myspace Friend Train v2.8
Myspace Friend Train v2.8


Myspace Friend Train v2.8=0D
=0D
Full path disclosure & possible SQL injection.=0D


=0D
Its possible to put ' in the input myspace ID box to get the error. Example of the=0D
error is below:=0D


=0D
Invalid query: You have an error in your SQL syntax; check the manual that=0D
corresponds to your MySQL server version for the right syntax to use near=0D
'72.150.32.136')' at line 1 Whole query: INSERT INTO train ( count, id, display,=0D
pictureurl, age, gender, quote, address) values( '6', '\'', '',=0D
'http://i.myspace.com/site/images/no_pic.gif', '', '', '\', '72.150.32.136')=0D 
=0D


=0D
example that discloses a full path error is:=0D
=0D
http://www.example.com/myspacetrain/show.php?show=join'

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH