ChurchInfo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the MemebrRoleChange.php script not properly sanitizing user-supplied input to the 'GroupID' and 'PersonID' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
ChurchInfo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the MemebrRoleChange.php script not properly sanitizing user-supplied input to the 'GroupID' and 'PersonID' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Vendor URL: http://www.churchdb.org/ Secunia Advisory ID:16292 Related OSVDB ID: 18410 Related OSVDB ID: 18422 Related OSVDB ID: 18424 Related OSVDB ID: 18408 Related OSVDB ID: 18409 Related OSVDB ID: 18412 Related OSVDB ID: 18414 Related OSVDB ID: 18417 Related OSVDB ID: 18419 Related OSVDB ID: 18421 Related OSVDB ID: 18425 Related OSVDB ID: 18428 Related OSVDB ID: 18429 Related OSVDB ID: 18411 Related OSVDB ID: 18413 Related OSVDB ID: 18420 Related OSVDB ID: 18423 Related OSVDB ID: 18415 Related OSVDB ID: 18416 Related OSVDB ID: 18426 Related OSVDB ID: 18427 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0007.html CVE-2005-2473