E-Business Designer Multiple Input Validation Vulnerabilities

Bugtraq ID:	17933
Class:	Input Validation Error
CVE:	CVE-2006-2347 CVE-2006-2348 CVE-2006-2349
Remote:	Yes
Local:	No
Published:	May 10 2006 12:00AM
Updated:	Jul 05 2006 09:34PM
Credit:	Pedro Andújar is credited with the discovery of these vulnerabilities.
Vulnerable:	Oasyssoft eBusiness Designer 0
Not Vulnerable:

E-Business Designer Multiple Input Validation Vulnerabilities

E-Business Designer is prone to multiple input-validation vulnerabilities. The issues include remote file include, remote command execution, cross-site scripting, and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, execute remote PHP code in the context of the webserver process, access sensitive information, or exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

Versions 3.1.4 and prior are vulnerable; other versions may also be affected.

E-Business Designer Multiple Input Validation Vulnerabilities

Attackers can exploit these issues via a web client and a network-monitoring tool.

E-Business Designer Multiple Input Validation Vulnerabilities

Solution:
The vendor has released a patch to address this issue.


Oasyssoft eBusiness Designer 0

• Oasyssoft binNr7awTFdvt.bin
  http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin

E-Business Designer Multiple Input Validation Vulnerabilities

References:

• eBusiness Designer Homepage (Oasyssoft)
  
• eBusiness Designer Security Advisory (Oasyssoft)
  
• Several flaws in e-business designer Homepage (Pedro Andujar)
  
• Re: Several flaws in e-business designer (eBD ([email protected])