Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
BID:51210
Info
Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
| Bugtraq ID: | 51210 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-5203 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 30 2011 12:00AM |
| Updated: | Oct 08 2012 06:30PM |
| Credit: | Alexander Fuchs |
| Vulnerable: |
Akiva WebBoard 6.1 Akiva WebBoard 8.0 |
| Not Vulnerable: |
Akiva WebBoard 8.0 SR1 |
Discussion
Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
Akiva WebBoard is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Akiva WebBoard 8 SR 1 is vulnerable;
Akiva WebBoard is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Akiva WebBoard 8 SR 1 is vulnerable;
Exploit / POC
Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following example URL is available:
http://www.example.com/WB/Default.asp?LogIn=yes&action=7
Attackers can use a browser to exploit this issue.
The following example URL is available:
http://www.example.com/WB/Default.asp?LogIn=yes&action=7
Solution / Fix
Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
Solution:
The vendor released an update to address this issue. Please see the references for more information.
Solution:
The vendor released an update to address this issue. Please see the references for more information.
References
Akiva WebBoard 'name' Parameter SQL Injection Vulnerability
References:
References: