paFAQ question.php Multiple Parameter SQL Injection

2005-02-17T22:24:09
ID OSVDB:13934
Type osvdb
Reporter Pi3cH(pi3ch@persianhacker.net)
Modified 2005-02-17T22:24:09

Description

Vulnerability Description

PHP Arena paFAQ contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the offset, limit, order, or orderby parameters to the question.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP Arena paFAQ contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the offset, limit, order, or orderby parameters to the question.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset=' http://[victim]/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit=' http://[victim]/index.php?act=Question&id=1&orderby=q_id&order='&limit=10 http://[victim]/index.php?act=Question&id=1&orderby='&order=DESC&limit=10

References:

Vendor URL: http://www.phparena.net/pafaq.php Security Tracker: 1013232 Related OSVDB ID: 13935 Related OSVDB ID: 13936 Related OSVDB ID: 13937 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0269.html ISS X-Force ID: 19371 CVE-2005-0475 Bugtraq ID: 12582