vbPortal auth.inc.php SQL Injection

2003-09-13T00:00:00
ID OSVDB:2918
Type osvdb
Reporter OSVDB
Modified 2003-09-13T00:00:00

Description

Vulnerability Description

vbPortal contains a flaw that allows an attacker to provide SQL commands that will be executed by the database server. User supplied input in auth.inc.php is not properly validated allowing an attacker to submit specially crafted values for the 'admin' variable. This can be used to execute remote SQL commands such as dumping database information to a text file that can be viewed remotely.

Solution Description

Upgrade to version 3.0b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

vbPortal contains a flaw that allows an attacker to provide SQL commands that will be executed by the database server. User supplied input in auth.inc.php is not properly validated allowing an attacker to submit specially crafted values for the 'admin' variable. This can be used to execute remote SQL commands such as dumping database information to a text file that can be viewed remotely.

References:

ISS X-Force ID: 13181 Generic Informational URL: http://www.securitytracker.com/alerts/2003/Sep/1007695.html Bugtraq ID: 8613