Zorum Input Validation Flaw in Several 'index.php' Parameters Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1016386
|
|
SecurityTracker URL: http://securitytracker.com/id?1016386
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 26 2006
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Version(s): 3.5 and prior versions
|
Description: A vulnerability was reported in Zorum. A remote user can inject SQL commands.
The 'index.php' script does not properly validate user-supplied input in the 'offset', 'tid', 'fromid', 'sortby', 'fromfrommethod',
and 'fromfromlist' parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying
database.
r0t discovered this vulnerability.
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: zorum.phpoutsourcing.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
