Postaci Webmail PostgreSQL Version deletecontact.php item_id Variable SQL Injection

2001-01-17T00:00:00
ID OSVDB:9497
Type osvdb
Reporter Berk Demir(berk@linux.org.tr)
Modified 2001-01-17T00:00:00

Description

Vulnerability Description

Postaci Webmail contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the $item_id variable in the deletecontact.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries. This vulnerability only exists in the PostgreSQL version of Postaci Webmail.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Postaci Webmail contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the $item_id variable in the deletecontact.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries. This vulnerability only exists in the PostgreSQL version of Postaci Webmail.

References:

Vendor URL: http://www.trlinux.com/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0287.html ISS X-Force ID: 5972 CVE-2001-0201 Bugtraq ID: 2230