vbPortal Anonymous E-mail Sending via SQL Injection
2003-11-22T07:04:04
ID OSVDB:2856 Type osvdb Reporter OSVDB Modified 2003-11-22T07:04:04
Description
Vulnerability Description
A flaw in vbPortal may allow an attacker to send e-mail without authentication. The flaw lies in the friend.php file with the SendStory and SendSite functions. Through the 'yname' and 'ymail' variables, an attacker can inject arbitrary material by using line feeds.
Solution Description
Upgrade to version 3.0b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch included by the advisory author.
Short Description
A flaw in vbPortal may allow an attacker to send e-mail without authentication. The flaw lies in the friend.php file with the SendStory and SendSite functions. Through the 'yname' and 'ymail' variables, an attacker can inject arbitrary material by using line feeds.
{"edition": 1, "title": "vbPortal Anonymous E-mail Sending via SQL Injection", "bulletinFamily": "software", "published": "2003-11-22T07:04:04", "lastseen": "2017-04-28T13:19:57", "history": [], "modified": "2003-11-22T07:04:04", "reporter": "OSVDB", "hash": "9ed2b47135df0d53f97b3d542b5467b61101ef84804b9c6398d7883b2d8828f3", "viewCount": 0, "href": "https://vulners.com/osvdb/OSVDB:2856", "description": "## Vulnerability Description\nA flaw in vbPortal may allow an attacker to send e-mail without authentication. The flaw lies in the friend.php file with the SendStory and SendSite functions. Through the 'yname' and 'ymail' variables, an attacker can inject arbitrary material by using line feeds.\n\n\n## Solution Description\nUpgrade to version 3.0b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch included by the advisory author.\n## Short Description\nA flaw in vbPortal may allow an attacker to send e-mail without authentication. The flaw lies in the friend.php file with the SendStory and SendSite functions. Through the 'yname' and 'ymail' variables, an attacker can inject arbitrary material by using line feeds.\n\n\n## References:\n[Secunia Advisory ID:10279](https://secuniaresearch.flexerasoftware.com/advisories/10279/)\nISS X-Force ID: 13816\nGeneric Informational URL: http://www.security-corporation.com/advisories-021.html\nBugtraq ID: 9088\n", "affectedSoftware": [{"name": "vbPortal", "version": "2.0 alpha 8.1", "operator": "eq"}, {"name": "vbPortal", "version": "8.1", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "e87df137d37696f7b9bcecc61619bf6c"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "5594ce6161ad1561d86a3c64d48d76e9"}, {"key": "href", "hash": "79dfb438315ab6cbee88c8c5d8cdec3c"}, {"key": "modified", "hash": "f8b629d7f9be50e0be28175816d67efa"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "f8b629d7f9be50e0be28175816d67efa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "f6deb90d18dcdb021dee66498287c5f7"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2017-04-28T13:19:57"}, "dependencies": {"references": [], "modified": "2017-04-28T13:19:57"}, "vulnersScore": 0.4}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "OSVDB:2856"}
