My Classifieds email Variable SQL Injection

2003-10-22T03:53:06
ID OSVDB:2697
Type osvdb
Reporter Ezhilan(sintraq@sintelli.com)
Modified 2003-10-22T03:53:06

Description

Vulnerability Description

My Classifieds contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "email" variable in unspecified modules is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 2.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

My Classifieds contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "email" variable in unspecified modules is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor Specific Advisory URL Secunia Advisory ID:10044 Other Advisory URL: http://www.sintelli.com/adv/sa-2003-04-myclassified.pdf Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0211.html Bugtraq ID: 8863