MyPHP Forum include.php Multiple Parameter SQL Injection

2005-02-10T08:40:33
ID OSVDB:13681
Type osvdb
Reporter foster GHC(foster@ghc.ru)
Modified 2005-02-10T08:40:33

Description

Vulnerability Description

MyPHP Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the "$nbpass" and "$nbuser" variables in the "include.php" script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

MyPHP Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the "$nbpass" and "$nbuser" variables in the "include.php" script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.myphp.ws/ Security Tracker: 1013136 Secunia Advisory ID:14205 Related OSVDB ID: 13678 Related OSVDB ID: 13679 Related OSVDB ID: 13680 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0056.html CVE-2005-0413