Summary
This host is installed with phpMyRecipes
and is prone to multiple SQL injection vulnerabilities.
Impact
Successful exploitation will allow attacker
to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Impact Level: Application
Solution
No solution or patch is available as of
9th February, 2015. Information regarding this issue will updated once the solution details are available.For updates refer to http://php-myrecipes.sourceforge.net/
Insight
Multiple flaws are due to improper sanitizing
- of 'words_exact' parameter passed to 'dosearch.php' script.
- of 'category' parameter passed to 'browse.php' script.
Affected
phpMyRecipes version 1.2.2
Detection
Send a crafted exploit string via HTTP
GET request and check whether it is possible to execute sql query or not.
References
Severity
Classification
-
CVE CVE-2014-9347, CVE-2014-9440 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
- Arkeia Appliance Path Traversal Vulnerability
- Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability
- A-A-S Application Access Server Multiple Vulnerabilities
- Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities