Advanced Guestbook admin.php Password Field SQL Injection

2004-04-21T16:19:11
ID OSVDB:13734
Type osvdb
Reporter JQ(idiosyncrasie@xs4all.nl)
Modified 2004-04-21T16:19:11

Description

Vulnerability Description

Advanced Guestbook contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'admin.php' script not properly sanitizing user-supplied input to the 'Password' field, which may allow a remote attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 2.3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Advanced Guestbook contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'admin.php' script not properly sanitizing user-supplied input to the 'Password' field, which may allow a remote attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://proxy2.de/scripts.php Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0138.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-04/0268.html ISS X-Force ID: 15892 CVE-2004-1952 Bugtraq ID: 10209