SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpWebSite Vendors:   phpWebSite Development Team
phpWebSite 'ANN_id' Variable Input Validation Hole Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1009045
SecurityTracker URL:  http://securitytracker.com/id/1009045
CVE Reference:   CVE-2004-2322   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Feb 14 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.x
Description:   David Sopas Ferreira of SystemSecure.org reported a vulnerability in phpWebSite in the announce module. A remote user can inject SQL commands.

It is reported that the module does not properly validate user-supplied input in the 'ANN_id' variable. A remote user can supply a specially crafted URL to cause SQL commands to be executed on the target system's database.

A demonstration exploit example is provided:

index.php?module=announce&ANN_user_op=view&ANN_id='[SQL injection HERE]

The flaw reportedly resides in 'mod/announcements/index.php'. A similar flaw in the notes module ('mod/notes/index.php') was subsequently detected and reported by the vendor.

The original advisory is available at:

http://www.systemsecure.org/advisories/ssadvisory13022004.php

Impact:   A remote user can execute SQL commands on the target system's database.
Solution:   A patch is reportedly available via CVS.
Vendor URL:  phpwebsite.appstate.edu/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHPWebSite SQL Injection


*SystemSecure.org Advisory*

Date: 13-02-2004
Software: PHPWebSite 0.9.x
Vendor: Warned and fixed the problem
Website: http://phpwebsite.appstate.edu/

phpWebSite provides a complete web site content management
system.  Web-based administration allows for easy maintenance of
interactive, community-driven web sites.

This php/mysql based system, suffers from a SQL injection in
"ANN_id" variable.

Example:
index.php?module=announce&ANN_user_op=view&ANN_id='[SQL injection HERE]

Solution:
Vender already patched this in CVS version.


Original advisory: http://www.systemsecure.org/advisories/ssadvisory13022004.php


Discovered by David Sopas Ferreira
iamroot@systemsecure.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC