Summary
The remote host contains a PHP script vulnerable to a SQL injection vulnerability.
Description :
The remote host is running ATutor, an open source web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind.
The remote version of this software contains an input validation flaw in the 'password_reminder.php' script. This vulnerability occurs only when 'magic_quotes_gpc' is set to off in the 'php.ini' configuration file. A malicious user can exploit this flaw to manipulate SQL queries and steal any user's password.
Solution
Upgrade to ATutor 1.5.1 pl1 or later
Severity
Classification
-
CVE CVE-2005-2954 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Advanced Guestbook Index.PHP SQL Injection Vulnerability
- Arkeia Appliance Path Traversal Vulnerability
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- AlefMentor Multiple SQL Injection Vulnerabilities