Description
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.
Problem types
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
Any version
Credits
philopentest
References
gist.github.com/...inforepo/d5b2771d82e1b31b8fc1c33052e08dad (Researcher Disclosure)
www.vulncheck.com/...-via-id-parameter-in-translate-text-php