phpMyWebhosting pmwh.php User Name SQL Injection

2004-08-14T02:22:49
ID OSVDB:8976
Type osvdb
Reporter Matias Neiff(matias@neiff.com.ar)
Modified 2004-08-14T02:22:49

Description

Vulnerability Description

phpMyWebhosting contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the username variable in the pmwh.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, phpMyWebhosting has released a patch to address this vulnerability.

Short Description

phpMyWebhosting contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the username variable in the pmwh.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://sourceforge.net/projects/phpmywebhosting/ Vendor Specific Solution URL: https://sourceforge.net/project/showfiles.php?group_id=85616 Other Advisory URL: http://www.securiteam.com/unixfocus/5EP0B1PDPK.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0207.html ISS X-Force ID: 17005 CVE-2004-2218 Bugtraq ID: 10942