PHP Inventory Multiple Vulnerabilities Network Vulnerability

Summary

This host is running PHP inventory and is prone to multiple vulnerabilities.

Impact

Successful exploitation will allow remote attackers to include arbitrary HTML or web scripts in the scope of the browser and allows to obtain and manipulate sensitive information. Impact Level: Application.

Solution

Update to PHP Inventory version 1.3.2 or later. For updates refer to http://www.phpwares.com/content/php-inventory

Insight

The Multiple flaws due to, - Input passed via the 'user_id' parameter to 'index.php' and via the 'sup_id' parameter is not properly sanitised before being used in an SQL query. - Input passed via the 'user' and 'pass' form field to 'index.php' is not properly sanitised before being used in an SQL query.

Affected

PHP Inventory version 1.2 and prior.

References

http://secunia.com/advisories/37672
http://www.exploit-db.com/exploits/10370
http://xforce.iss.net/xforce/xfdb/54666
http://xforce.iss.net/xforce/xfdb/54667

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-4595, CVE-2009-4596, CVE-2009-4597

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
Apache Tomcat AJP Protocol Security Bypass Vulnerability
Astium VoIP PBX SQL Injection Vulnerability
AV Arcade 'ava_code' Cookie Parameter SQL Injection Vulnerability
Advantech WebAccess Multiple Vulnerabilities

Take action and discover your vulnerabilities