PHPCatalog id Parameter SQL Injection

2003-12-30T14:15:51
ID OSVDB:3303
Type osvdb
Reporter David Sopas Ferreira()
Modified 2003-12-30T14:15:51

Description

Vulnerability Description

PHPCatalog contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "id" variable is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 2.6.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHPCatalog contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "id" variable is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://siliconsys.com/content/applications/phpcatalog/ Secunia Advisory ID:10516 Nessus Plugin ID:11969 Keyword: PHPCatalog Keyword: PHP Keyword: SQL Injection ISS X-Force ID: 14116 Bugtraq ID: 9318