BID:13355

SWSoft Confixx Change User SQL Injection Vulnerability

Info

SWSoft Confixx Change User SQL Injection Vulnerability

Bugtraq ID:	13355
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 25 2005 12:00AM
Updated:	Apr 25 2005 12:00AM
Credit:	"Erich Klaus" <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	SWSoft Confixx 3.0.8 SWSoft Confixx 3.0.6 SWSoft Confixx Pro 3

Not Vulnerable:

Discussion

SWSoft Confixx Change User SQL Injection Vulnerability

Confixx is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

Exploit / POC

SWSoft Confixx Change User SQL Injection Vulnerability

No exploit is required.

Solution / Fix

SWSoft Confixx Change User SQL Injection Vulnerability

Solution:
The vendor has released a hot-fix to address this issue. Further details in regard to the installation of this hot-fix can be found in the reference section of this BID:

SWSoft Confixx 3.0.6

SWSoft confixx_v3.0.8-build20050505.10_php_hotfix.sh.gz
http://download1.sw-soft.com/Confixx/ConfixxPro3/3.0.8/confixx_v3.0.8- build20050505.10_php_hotfix.sh.gz

SWSoft Confixx 3.0.8

SWSoft confixx_v3.0.8-build20050505.10_php_hotfix.sh.gz
http://download1.sw-soft.com/Confixx/ConfixxPro3/3.0.8/confixx_v3.0.8- build20050505.10_php_hotfix.sh.gz

References

SWSoft Confixx Change User SQL Injection Vulnerability

References:

Confixx 3.0 hotfix Release Notes (Confixx)
Confixx Homepage (SWSoft)