Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

HGiga C&Cmail SQL Injection

Current Description

HGiga C&Cmail has a SQL injection vulnerability, allowing execution of arbitrary SQL commands via seq parameter. This vulnerability affects many mail system of governments, organizations and companies.

Details

The injection point is bkimage parameter in "modify_cmc.php".

It allows remote attackers to execute arbitrary SQL commands via seq paramemer.

Remote attackers can gain unauthorized data like user's account and password for login into webmail. When accessing a victim's account, remote attackers can modifiy the password. Remote attackers also can write arbitrary files like webshell on target system. It compromised the confidentiality, integrity and availability of data and system.

Description

Remote attackers can execute arbitrary SQL commands.

Affected files

http://[Target Domain]/EIP/oll/calendar/modify_cmc.php

Contributor

  • Tony Kuo (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.