phpGB login.php password Parameter SQL Injection

2002-09-09T00:00:00
ID OSVDB:10111
Type osvdb
Reporter ppp-design(security@ppp-design.de)
Modified 2002-09-09T00:00:00

Description

Vulnerability Description

phpGB contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'password' parameter in the 'login.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 1.40 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpGB contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'password' parameter in the 'login.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.walzl.net/phpGB.13.0.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-09/0084.html ISS X-Force ID: 10068 CVE-2002-1482 Bugtraq ID: 5673