Kmaleon SQL Injection Vulnerability in kmaleonW.php
Vulnerability
An authenticated SQL injection vulnerability has been identified in Kmaleon version 1.1.0.205. The issue resides in the 'tipocomb' parameter of the kmaleonW.php file, allowing attackers to manipulate database queries. This vulnerability can be exploited using boolean-based, error-based, and time-based blind SQL injection techniques, potentially leading to unauthorized extraction or modification of database information.
Impact
Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to extract or manipulate database information.
Reproduction
To reproduce this vulnerability, log into the Kmaleon application and navigate to the kmaleonW.php page. Once there, send a request with the 'tipocomb' parameter included. The SQL injection can be exploited by using payloads that leverage boolean-based, error-based, or time-based blind SQL injection techniques. For example, a boolean-based payload could be crafted to manipulate the application's database query logic, while an error-based payload could exploit database error messages to extract information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.