betaparticle BP Blog template_permalink.asp id Variable SQL Injection

2006-03-18T07:47:37
ID OSVDB:23966
Type osvdb
Reporter Mustafa Can Bjorn(nukedx@nukedx.com)
Modified 2006-03-18T07:47:37

Description

Vulnerability Description

BP Blog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the template_permalink.asp script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, betaparticle.com has released a patch to address this vulnerability.

Short Description

BP Blog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the template_permalink.asp script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.betaparticle.com/ Vendor Specific Solution URL: http://blog.betaparticle.com/template_permalink.asp?id=102 Security Tracker: 1015788 Secunia Advisory ID:19292 Related OSVDB ID: 23965 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0349.html FrSIRT Advisory: ADV-2006-1000 CVE-2006-1333 Bugtraq ID: 17148