PT-2006-2248 · Dsdownload · Dsdownload

Aliaksandr Hartsuyeu

Published

2006-03-14

Updated

2018-10-18

CVE-2006-1232

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions DSDownload version 1.0

Description The issue concerns SQL injection vulnerabilities. Remote attackers can execute arbitrary SQL commands via the key and category parameters to "search.php" and "downloads.php" API endpoints when magic quotes gpc is disabled.

Recommendations For DSDownload version 1.0, consider disabling the search.php and downloads.php scripts until a patch is available, or restrict access to these endpoints to minimize the risk of exploitation. Avoid using the key and category parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-1232

Affected Products

Dsdownload

PT-2006-2248 · Dsdownload · Dsdownload

CVE-2006-1232

Related Identifiers

Affected Products

References · 12