PWSPHP Profil.PHP SQL Injection Vulnerability
BID:13563
Info
PWSPHP Profil.PHP SQL Injection Vulnerability
| Bugtraq ID: | 13563 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2005 12:00AM |
| Updated: | Jan 15 2007 11:30PM |
| Credit: | SecuBox fRoGGz <[email protected]> is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
PwsPHP PwsPHP 1.2.2 Final PwsPHP PwsPHP 1.2.2 PwsPHP PwsPHP 1.2.1 PwsPHP PwsPHP 1.1 |
| Not Vulnerable: |
PwsPHP PwsPHP 1.2.3 |
Discussion
PWSPHP Profil.PHP SQL Injection Vulnerability
PwsPHP is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
The vendor has addressed this issue in PwsPHP version 1.2.3; earlier versions are reported vulnerable.
PwsPHP is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
The vendor has addressed this issue in PwsPHP version 1.2.3; earlier versions are reported vulnerable.
Exploit / POC
PWSPHP Profil.PHP SQL Injection Vulnerability
No exploit is required.
The following proof-of-concept URI is available:
http://www.example.com/profil.php?id='[SQL Injection]
No exploit is required.
The following proof-of-concept URI is available:
http://www.example.com/profil.php?id='[SQL Injection]
Solution / Fix
PWSPHP Profil.PHP SQL Injection Vulnerability
Solution:
The vendor has addressed this issue in PwsPHP version 1.2.3.
PwsPHP PwsPHP 1.2.1
PwsPHP PwsPHP 1.2.2 Final
PwsPHP PwsPHP 1.2.2
Solution:
The vendor has addressed this issue in PwsPHP version 1.2.3.
PwsPHP PwsPHP 1.2.1
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
PwsPHP PwsPHP 1.2.2 Final
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
PwsPHP PwsPHP 1.2.2
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
References
PWSPHP Profil.PHP SQL Injection Vulnerability
References:
References:
- PwsPHP Homepage (PwsPHP)
- PwsPHP v1.2.2 Final - Multiples vulnerabilities (SecuBox fRoGGz
)