Summary
This host is running NoticeBoardPro and is prone to SQL injection and arbitrary file upload vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary script code in a user's browser session in the context of an affected application and to manipulate SQL queries by injecting arbitrary SQL code.
Impact Level: Application.
Solution
Upgrade to NoticeBoardPro version 1.1.
For updates refer to http://www.NoticeBoardPro.com/
Insight
The flaws are due to
- Input passed via the 'userID' parameter to 'deleteItem3.php' is not properly sanitised before being used in SQL queries.
- An error in 'editItem1.php' script, while validating an uploaded files which leads to execution of arbitrary PHP code by uploading a PHP file.
Affected
NoticeBoardPro version 1.0
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AlstraSoft AskMe Pro 'forum_answer.php' and 'profile.php' Multiple SQL Injection Vulnerabilities
- AdaptBB Multiple Input Validation Vulnerabilities
- Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability
- Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
- Apache Axis2 Document Type Declaration Processing Security Vulnerability