OpenBB board.php FID Variable SQL Injection

2003-04-25T00:00:00
ID OSVDB:5659
Type osvdb
Reporter Albert Puigsech Galicia(ripe@7a69ezine.org)
Modified 2003-04-25T00:00:00

Description

Vulnerability Description

OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "FID" variable in the "board.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "FID" variable in the "board.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/board.php?FID=2[SQL Query]

References:

Vendor URL: http://www.openbb.com Related OSVDB ID: 3342 Related OSVDB ID: 5661 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-04/0325.html ISS X-Force ID: 11884 Bugtraq ID: 7404