ActiveCampaign SupportTrio SQL inj.

2005-11-24T00:00:00
ID SECURITYVULNS:DOC:10342
Type securityvulns
Reporter Securityvulns
Modified 2005-11-24T00:00:00

Description

ActiveCampaign SupportTrio SQL inj. Vuln. dicovered by : r0t Date: 24 nov. 2005 Orginal advisory:http://pridels.blogspot.com/2005/11/activecampaign-supporttrio-sql-inj.html Vendor:http://www.activecampaign.com/supporttrio/ affected version: 1.4 and prior

Vuln. description: Input passed to the "page" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example: http://host/SupportTrio/index.php?pf=kb&page=[SQL]

Solution: Edit the source code to ensure that input is properly sanitised.