SQL injection vulnerability found in Symphony version 2.3.1
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.
The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
See more details at High-Tech Bridge Advisory HTB23148 - SQL Injection in Symphony.
No comments:
Post a Comment