Description
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (line 16): SELECT * FROM jobs where id = '\".$_GET['id'].\"'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current user, schema names, and table contents.
Problem types
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
Any version
Credits
philopentest
References
gist.github.com/...inforepo/d5b2771d82e1b31b8fc1c33052e08dad (Researcher Disclosure)
www.vulncheck.com/...ection-via-id-parameter-in-job-info-php