CVE-2006-6177 Information
Description
SQL injection vulnerability in system/core/users/users.profile.inc.php in Neocrome Seditio 1.10 and earlier allows remote authenticated users to execute arbitrary SQL commands via a double-url-encoded id parameter to users.php that begins with a valid filename as demonstrated by \default.gif\ followed by an encoded NULL and ’ (apostrophe) (25002527).
Reference
http://secunia.com/advisories/23054
http://securityreason.com/securityalert/1931
http://www.neocrome.net/page.php?id=2233
http://www.nukedx.com/?getxpl=52
http://www.nukedx.com/?viewdoc=52
http://www.securityfocus.com/archive/1/452269/100/100/threaded
http://www.vupen.com/english/advisories/2006/4668
https://exchange.xforce.ibmcloud.com/vulnerabilities/30466
SQL
injection
vulnerability
in
system/core/users/users.profile.inc.php
in
Neocrome
Seditio
1.10
and
earlier
allows
remote
authenticated
users
to
execute
arbitrary
SQL
commands
via
a
double-url-encoded
id
parameter
to
users.php
that
begins
with
a
valid
filename
as
demonstrated
by
\default.gif
followed
by
an
encoded
NULL
and
'
(apostrophe)
(25002527).