Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | MyPHP Forum Input Validation Holes Let Remote Users Inject SQL Commands |
|---|
Categorie: Vulnerability
Posted: 2005-02-11 by ReCall
Views: 406
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: A vulnerability was reported in MyPHP Forum. A remote user can inject SQL commands.
Several scripts do not properly validate user-supplied input in certain fields. A remote user can supply a specially crafted input to execute SQL commands on the underlying database. This flaw can be exploited if 'magic_quotes_gpc' is off.
The 'forum.php' script does not properly validate user-supplied input in the 'fid' parameter.
The 'member.php' script does not properly validate user-supplied input in the 'member' parameter. A demonstration exploit URL is provided:
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig,
regdate, posts, password as yahoo FROM nb_member WHERE uid='1
The 'forgot.php' script does not properly validate user-supplied input in the 'email' parameter.
The 'include.php' script does not properly validate user-supplied input in the 'nbuser' and 'nbpass' parameters.
foster GHC reported these flaws.
Impact: A remote user can execute SQL commands on the underlying database.
Solution: No solution was available at the time of this entry.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1351
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
