preg_match() only check if
$_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).
It should check if it contains only digits and letters.
So we have Blind SQL Injection inside
$chkVal is not escaped.
Proof of Concept:
This SQL will check if first password character user
ID=1 is “c”.
If yes, it will sleep 5 seconds.
- 23-11-2014: Discovered
- 23-11-2014: Vendor notified
- 27-11-2014: Fix for version 3.1 released, issue resolved