TUTOS note_overview.php id Variable SQL Injection

2004-04-13T10:55:50
ID OSVDB:5329
Type osvdb
Reporter François Sorin(francois.sorin@kereval.com)
Modified 2004-04-13T10:55:50

Description

Vulnerability Description

TUTOS contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "id" variable in the "note_overview.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 1.1.20040412 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

TUTOS contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "id" variable in the "note_overview.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.tutos.org/ Security Tracker: 1009750 Secunia Advisory ID:11354 Related OSVDB ID: 5327 Related OSVDB ID: 5328 Related OSVDB ID: 5326 Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2004-q2/0007.html ISS X-Force ID: 15852 Bugtraq ID: 10129