Powie's PSCRIPT Forum changepass.php SQL Injection

2004-10-15T14:52:59
ID OSVDB:10951
Type osvdb
Reporter Christoph Jeschke(ponders@arcor.de)
Modified 2004-10-15T14:52:59

Description

Vulnerability Description

Powie's PSCRIPT Forum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that input to the changepass.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Set "magic_quotes_gpc" in php.ini to "On".

Short Description

Powie's PSCRIPT Forum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that input to the changepass.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.pscript.de/ Security Tracker: 1011772 Secunia Advisory ID:12868 Related OSVDB ID: 10950 Related OSVDB ID: 10952 Mail List Post: http://seclists.org/lists/bugtraq/2004/Oct/0188.html Keyword: pforum