CVE-2014-9345
Description
SQL injection vulnerability in Guruperl.net Advertise With Pleasure! Professional (aka AWP PRO) 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a list_zone action to cgi/client.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in AWP PRO 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the `group_id` parameter in `client.cgi`.
Vulnerability
A SQL injection vulnerability exists in Guruperl.net Advertise With Pleasure! Professional (AWP PRO) version 6.6 and earlier [1]. The flaw resides in the list_zone action of the CGI script cgi/client.cgi. The group_id parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands directly [1]. The vulnerability is present in all versions up to and including 6.6, and likely in earlier unlisted versions [1]. The affected script is cgi/client.cgi [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable script with a malicious group_id parameter [1]. No authentication is required; the attack is performed from a remote network position [1]. The proof-of-concept demonstrates that appending a single quote (') to the parameter value reveals the injection point, and a standard UNION SELECT payload can retrieve arbitrary data from the database, such as usernames and passwords from the awp_ad_client table [1]. The provided example URL is: http://server/cgi/client.cgi?act=list_zone&group_id=1 union all select 1,2,group_concat(login,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from awp_ad_client-- [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries on the underlying database [1]. This can lead to complete disclosure of sensitive data, including login credentials stored in plaintext in the awp_ad_client table [1]. The attacker can further potentially enumerate the database structure, extract other tables, and in some configurations, write files or escalate to code execution via SQL injection features [1]. The confidentiality and integrity of the application database are fully compromised [1].
Mitigation
As of the advisory publication date (December 2, 2014), no official patch has been released for AWP PRO version 6.6 or earlier [1]. Users should upgrade to a version newer than 6.6 if available, or contact the vendor for a fix [1]. If upgrading is not possible, a web application firewall (WAF) or input validation on the group_id parameter should be implemented to block malicious SQL patterns [1]. The vendor is Guruperl.net and the product page was available at http://www.guruperl.net/products/awppro/ [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:guruperl:advertise_with_pleasure\!:*:*:*:*:professional:*:*:*+ 1 more
- cpe:2.3:a:guruperl:advertise_with_pleasure\!:*:*:*:*:professional:*:*:*range: <=6.6
- (no CPE)range: <=6.6
- Range: <=6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.