Web Wiz Forum pop_up_ip_blocking.asp SQL Injection

2004-04-30T14:17:18
ID OSVDB:5752
Type osvdb
Reporter Alexander(pk95@yandex.ru)
Modified 2004-04-30T14:17:18

Description

Vulnerability Description

Web Wiz Forum contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the laryCheckedIPAddrID" parameter in the "pop_up_ip_blocking.asp" script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 7.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Web Wiz Forum contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the laryCheckedIPAddrID" parameter in the "pop_up_ip_blocking.asp" script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.webwizguide.info/web_wiz_forums/default.asp?mode=asp Vendor Specific Solution URL: http://www.webwizguide.info/news/news_item.asp?NewsID=66 Security Tracker: 1010012 Secunia Advisory ID:11525 Related OSVDB ID: 5750 Related OSVDB ID: 5751 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-04/1119.html ISS X-Force ID: 16029 Bugtraq ID: 10255