sBlog search.php keyword Variable SQL Injection

2006-05-02T01:13:21
ID OSVDB:25612
Type osvdb
Reporter SubjectZero Network Security Research Group(arko.dhar@gmail.com)
Modified 2006-05-02T01:13:21

Description

Vulnerability Description

sBlog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'keyword' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

sBlog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'keyword' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://servous.se/ Other Advisory URL: http://www.subjectzero.net/research/sblog.htm Nessus Plugin ID:21313 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0033.html ISS X-Force ID: 26212 CVE-2006-2189 Bugtraq ID: 17782