PhpWebThings Forum Parameter SQL Injection Vulnerabilities Network Vulnerability

Summary

The remote web server contains a PHP script that is prone to SQL injection attacks. Description : The remote host is running the phpWebThings application framework. The version of phpWebThings installed on the remote host does not properly sanitize user input in the 'forum' and 'msg' parameters of 'forum.php' script before using it in database queries. An attacker can exploit this vulnerability to display the usernames and passwords (md5 hash) from the website and then use this information to gain administrative access to the affected application.

Solution

Apply the phpWebthings 1.4 forum patch referenced in the third URL above.

References

http://archives.neohapsis.com/archives/bugtraq/2005-11/0057.html
http://www.ojvweb.nl/download.php?file=64&cat=17&subref=10

Updated on 2017-03-28

Severity

Classification

CVE CVE-2005-3585, CVE-2005-4218

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
Apache Tomcat /servlet Cross Site Scripting
68designs 68kb Multiple Remote File Include Vulnerabilities
b2Evolution title SQL Injection

phpWebThings forum Parameter SQL Injection Vulnerabilities

Take action and discover your vulnerabilities