Public Exploit 1.1.8 /sql Injection

Just receive this

Its only afted on 1.1.8? (i know its a old version)

Was a security hole on the framework or on the developed application(i mean can be a problem with AR or something built-in?) ??

I can’t find a ticket related to this. And this exploit doesn’t seem to affect v1.1.12.

This is related to the Nguyen website, check the pictures on the original exploit page -

His website is still vulnerable to this exploit… this is the code he is using

$q = Yii::app()->getRequest()->getPost("q");

$products = product::model()->findAll(array(

   "condition" => "enable = 1 AND name like '%" . $q . "%'"


Problem is that he is using directly the pased search variable $q, instead of binding for example or sanitizing the input.

I just tryed to send an email to the website owner through the contact us form… but even there is an error so the mails are not sent I guess

If somebody has a way please let the website owner know about this exploit.

Site owner has YII_DEBUG turned on as well.

Found email. Sent a link here to website support.

Email doesn’t repond after all. Looks like this website is abandoned.