Unobtrusive Ajax Star Rating Bar db.php Multiple Variable SQL Injection

2007-07-09T23:07:49
ID OSVDB:35933
Type osvdb
Reporter Sullo(sullo@cirt.net)
Modified 2007-07-09T23:07:49

Description

Vulnerability Description

Unobtrusive Ajax Star Rating Bar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the db.php script not properly sanitizing user-supplied input to the q and t variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 1.2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Unobtrusive Ajax Star Rating Bar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the db.php script not properly sanitizing user-supplied input to the q and t variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.masugadesign.com/the-lab/scripts/unobtrusive-ajax-star-rating-bar/ Secunia Advisory ID:25985 Related OSVDB ID: 35935 Related OSVDB ID: 35934 Related OSVDB ID: 35936 Other Advisory URL: http://www.cirt.net/advisories/unobtrusive_ajax_star_rating.shtml ISS X-Force ID: 35328 CVE-2007-3684 Bugtraq ID: 24840