Buddy Zone view_sub_forum.php main_cat Variable SQL Injection
2006-06-30T09:33:59
ID OSVDB:26979 Type osvdb Reporter luny(luny@youfucktard.com) Modified 2006-06-30T09:33:59
Description
Vulnerability Description
Buddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Additionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
Buddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Additionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
{"enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3494"]}, {"type": "osvdb", "idList": ["OSVDB:26985", "OSVDB:26990", "OSVDB:26993", "OSVDB:26981", "OSVDB:26984", "OSVDB:26983", "OSVDB:26980", "OSVDB:26982"]}], "modified": "2017-04-28T13:20:23"}, "vulnersScore": 7.5}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Buddy Zone", "operator": "eq", "version": "1.0.1"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:26979", "id": "OSVDB:26979", "title": "Buddy Zone view_sub_forum.php main_cat Variable SQL Injection", "history": [], "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:23", "edition": 1, "hash": "845e4db08871b85571cd2a85b9878b84c963a9c4cef1644bac7376ef17df3490", "objectVersion": "1.2", "reporter": "luny(luny@youfucktard.com)", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_sub_forum.php?main_cat='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "viewCount": 0, "published": "2006-06-30T09:33:59", "cvelist": ["CVE-2006-3494"], "hashmap": [{"key": "affectedSoftware", "hash": "2c45006ef0058b16213dcc98b36e5084"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "65511afc49ef5e5d9d7b78114669b243"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "ffef896b08d1b6a043927f454dcdf0c5"}, {"key": "href", "hash": "ec8da45774aeb13f6a716b47aed3564f"}, {"key": "modified", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1ecbff27b0062287be6ddd5f3644abbb"}, {"key": "title", "hash": "c0345161c5cd5bdc0346c993cc54a5d9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}
{"cve": [{"lastseen": "2018-10-19T11:35:59", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Buddy Zone 1.0.1 allow remote attackers to inject arbitrary HTML and web script via the (1) cat_id parameter to (a) view_classifieds.php; (2) id parameter in (b) view_ad.php; (3) event_id parameter in (c) view_event.php, (d) delete_event.php, and (e) edit_event.php; and (4) group_id in (f) view_group.php.", "modified": "2018-10-18T12:47:45", "published": "2006-07-10T18:05:00", "id": "CVE-2006-3494", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3494", "title": "CVE-2006-3494", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_group.php script not properly sanitizing user-supplied input to the 'group_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_group.php script not properly sanitizing user-supplied input to the 'group_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_group.php?group_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26985", "id": "OSVDB:26985", "title": "Buddy Zone view_group.php group_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_ad.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_ad.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_ad.php?id=4'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26981", "id": "OSVDB:26981", "title": "Buddy Zone view_ad.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the edit_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the edit_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/edit_event.php?event_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26984", "id": "OSVDB:26984", "title": "Buddy Zone edit_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.\n## Short Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26991](https://vulners.com/osvdb/OSVDB:26991)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26988](https://vulners.com/osvdb/OSVDB:26988)\n[Related OSVDB ID: 26989](https://vulners.com/osvdb/OSVDB:26989)\n[Related OSVDB ID: 26993](https://vulners.com/osvdb/OSVDB:26993)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26992](https://vulners.com/osvdb/OSVDB:26992)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html\nISS X-Force ID: 27512\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\nBugtraq ID: 18759\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26990", "id": "OSVDB:26990", "title": "Buddy Zone view_event.php XSS", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_group.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.\n## Short Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_group.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26990](https://vulners.com/osvdb/OSVDB:26990)\n[Related OSVDB ID: 26991](https://vulners.com/osvdb/OSVDB:26991)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26988](https://vulners.com/osvdb/OSVDB:26988)\n[Related OSVDB ID: 26989](https://vulners.com/osvdb/OSVDB:26989)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26992](https://vulners.com/osvdb/OSVDB:26992)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html\nISS X-Force ID: 27512\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\nBugtraq ID: 18759\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26993", "id": "OSVDB:26993", "title": "Buddy Zone view_group.php XSS", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_classifieds.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_classifieds.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_classifieds.php?cat_id=8'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26980", "id": "OSVDB:26980", "title": "Buddy Zone view_classifieds.php cat_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the delete_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the delete_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/delete_event.php?event_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26983", "id": "OSVDB:26983", "title": "Buddy Zone delete_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_event.php?event_id=8'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26982", "id": "OSVDB:26982", "title": "Buddy Zone view_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}