L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities

source: https://www.securityfocus.com/bid/40577/info

LineWeb is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include multiple local file-include vulnerabilities, multiple SQL-injection vulnerabilities, and an unauthorized-access vulnerability.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information, execute arbitrary local scripts in the context of the webserver process, obtain unauthorized access to restricted scripts, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

LineWeb 1.0.5 is vulnerable; other versions may be affected. 

The following example URIs are available:

http://www.example.com/Lineage ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA