OrganicPHP PHP-Affiliate details.php Unauthorized Account Modification

2002-08-15T00:00:00
ID OSVDB:10470
Type osvdb
Reporter OSVDB
Modified 2002-08-15T00:00:00

Description

Vulnerability Description

PHP-Affiliate contains a flaw related to the details.php script that may allow an attacker to gain elevated privileges. The issue is due to the script passing input to the details2.php script without verifying authentication credentials. By modifying the user ID field and supplying it to details2.php, an attacker may be able to modify arbitrary accounts to elevate their privileges.

Solution Description

Upgrade to version 1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHP-Affiliate contains a flaw related to the details.php script that may allow an attacker to gain elevated privileges. The issue is due to the script passing input to the details2.php script without verifying authentication credentials. By modifying the user ID field and supplying it to details2.php, an attacker may be able to modify arbitrary accounts to elevate their privileges.

References:

Vendor URL: http://www.organicphp.com/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-08/0141.html ISS X-Force ID: 9858 CVE-2002-1462 Bugtraq ID: 5482