PHP Inventory 'user' And 'pass' Parameters SQL Injection Vulnerability Network Vulnerability

Summary

This host is running PHP inventory and is prone to SQL injection vulnerability.

Impact

Successful exploitation will allow remote attackers to include arbitrary HTML or web scripts in the scope of the browser and allows to obtain and manipulate sensitive information. Impact Level: Application

Solution

Upgrade to PHP Inventory version 1.3.2 or later For updates refer to http://www.phpwares.com/content/php-inventory

Insight

The flaw is due to an input passed the to 'user' and 'pass' form field in 'index.php' is not properly sanitised before being used in an SQL query.

Affected

PHP Inventory version 1.3.1

References

http://packetstormsecurity.org/files/107425/INFOSERVE-ADV2011-08.txt
http://seclists.org/fulldisclosure/2011/Dec/0
http://www.securityfocus.com/archive/1/520692

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Solr XML External Entity(XXE) Vulnerability-02 Jan-14
AdaptBB Multiple Input Validation Vulnerabilities
b2ePMS Multiple SQL Injection Vulnerabilities
Advantech WebAccess Multiple Vulnerabilities
Apache Struts2 Showcase Skill Name Remote Code Execution Vulnerability

PHP Inventory 'user' and 'pass' Parameters SQL Injection Vulnerability

Take action and discover your vulnerabilities