O2PHP Oxygen Post.PHP SQL Injection Vulnerability

Bugtraq ID:	17324
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 30 2006 12:00AM
Updated:	Aug 09 2006 12:35AM
Credit:	DaBDouB-MoSiKaR of the Moroccan Security Team is credited with the discovery of this vulnerability.
Vulnerable:	o2php.com Oxygen 1.1.3 o2php.com Oxygen 1.1.2 o2php.com Oxygen 1.1.1 o2php.com Oxygen 1.0.11 o2php.com Oxygen 1.1
Not Vulnerable:

O2PHP Oxygen Post.PHP SQL Injection Vulnerability

Oxygen is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Oxygen versions 1.1.3 and prior are reported to be affected.

O2PHP Oxygen Post.PHP SQL Injection Vulnerability

Attackers can exploit this issue via a web client.

An example URI has been provided:

http://www.example.com/post.php?action=newthread&fid=[sql]

O2PHP Oxygen Post.PHP SQL Injection Vulnerability

Solution:
The vendor has released a patch to address this issue. Please see the references for more information.mailto:[email protected]

O2PHP Oxygen Post.PHP SQL Injection Vulnerability

References:

• Fix SQL Injection in post.php (Bugtraq #17324) (eofredj)
  
• Oxygen<=1.x.x SQL injection ([email protected])