Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
BID:20996
Info
Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 20996 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 10 2006 12:00AM |
| Updated: | Nov 16 2006 03:41PM |
| Credit: | Laurent Gaffié & Benjamin Mossé are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Bitweaver Bitweaver 1.3.1 Bitweaver Bitweaver 1.3 Bitweaver Bitweaver 1.2.1 Bitweaver Bitweaver 1.2 Bitweaver Bitweaver 1.1.1 beta |
| Not Vulnerable: | |
Discussion
Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
Bitweaver is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Bitweaver 1.3.1 and prior versions are vulnerable; other versions may also be affected.
Since this issue is a duplicate of the the issue described in BID 20988 (Bitweaver Multiple Input Validation Vulnerabilities), this BID is being retired.
Bitweaver is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Bitweaver 1.3.1 and prior versions are vulnerable; other versions may also be affected.
Since this issue is a duplicate of the the issue described in BID 20988 (Bitweaver Multiple Input Validation Vulnerabilities), this BID is being retired.
Exploit / POC
Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
An attacker can exploit this issue via a web client.
The following proof-of-concept URIs are available:
http://www.example.com/bitweaver/blogs/list_blogs.php?sort_mode=-98
http://www.example.com/bitweaver/fisheye/list_galleries.php?sort_mode=-98
http://www.example.com/bitweaver/fisheye/index.php?sort_mode=-98
http://www.example.com/bitweaver/wiki/orphan_pages.php?sort_mode=-98
http://www.example.com/bitweaver/wiki/list_pages.php?find=&sort_mode=-98
http://www.example.com/bitweaver/newsletters/edition.php?tk=[SQL]&find=1&search=suchen
An attacker can exploit this issue via a web client.
The following proof-of-concept URIs are available:
http://www.example.com/bitweaver/blogs/list_blogs.php?sort_mode=-98
http://www.example.com/bitweaver/fisheye/list_galleries.php?sort_mode=-98
http://www.example.com/bitweaver/fisheye/index.php?sort_mode=-98
http://www.example.com/bitweaver/wiki/orphan_pages.php?sort_mode=-98
http://www.example.com/bitweaver/wiki/list_pages.php?find=&sort_mode=-98
http://www.example.com/bitweaver/newsletters/edition.php?tk=[SQL]&find=1&search=suchen
Solution / Fix
Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
References
Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
References:
References:
- Bitweaver Homepage (bitweaver)