FunkBoard mysql_install.php Email Field Arbitrary PHP Code Injection

2005-08-08T05:52:02
ID OSVDB:18622
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-08-08T05:52:02

Description

Vulnerability Description

FunkBoard contains a flaw that may allow a remote attacker to inject arbitrary PHP code. The issue is due to 'mysql_install.php' not properly sanitizing user input supplied to the 'Email' field, which may allow a remote attacker to inject arbitrary PHP code and create a backdoor resulting in a loss of integrity.

Solution Description

Upgrade to version 0.70CF or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

FunkBoard contains a flaw that may allow a remote attacker to inject arbitrary PHP code. The issue is due to 'mysql_install.php' not properly sanitizing user input supplied to the 'Email' field, which may allow a remote attacker to inject arbitrary PHP code and create a backdoor resulting in a loss of integrity.

References:

Vendor URL: http://www.funkboard.co.uk/ Secunia Advisory ID:16371 Related OSVDB ID: 18614 Related OSVDB ID: 18615 Related OSVDB ID: 18617 Related OSVDB ID: 18616 Related OSVDB ID: 18619 Related OSVDB ID: 18620 Related OSVDB ID: 18623 Related OSVDB ID: 18613 Related OSVDB ID: 18618 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0130.html