Document Title: =============== Human Rights Resource Center - SQL Injection Vulnerability Release Date: ============= 2011-07-20 Vulnerability Laboratory ID (VL-ID): ==================================== 169 Product & Service Introduction: =============================== The Human Rights Resource Center is an integral part of the University of Minnesota Human Rights Center and works in partnership with the University of Minnesota Human Rights Library to: * Create and distribute Human Rights Education (HRE) resources via electronic and print media; * Train activists, professionals, and students as human rights educators; * Build advocacy networks to encourage effective practices in human rights education; * Support the World Programme for Human Rights Education (2005-2007) and the United Nations Decade for Human Rights Education (1995-2004). (Copy of the vendor Homepage: Abstract Advisory Information: ============================== A laboratory researcher discovered multiple SQL Injection Vulnerabilities on HRUSA (Human Rights Resource Center) vendor website. Vulnerability Disclosure Timeline: ================================== 2011-06-20: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A SQL Injection vulnerability is detected on the Human Rights Resource Center of USA. An unsecure parameter request allows a remote attacker to implement/execute own sql statements via sql-injection. Vulnerable Module(s): [+] Listing Pictures: ../hrusa.png Proof of Concept (PoC): ======================= This vulnerability can be exploited by remote attackers. For demonstration or reproduce ... Path: ../field/ File: listings.php Para: ?catid= or ?view=details&catid=1&id= - Remote SQL-Injection Exploit - Remote SQL-Injection Exploit