|
|
phpTRADER Multiple Parameter Handling Remote SQL Injection Vulnerabilities
|
Multiple vulnerabilities have been identified in phpTRADER, which may be exploited by remote attackers to execute arbitrary SQL commands. These flaws are due to input validation errors in the "login.php", "write_newad.php", "newad.php", "printad.php", "askseller.php", "browse.php", "showmemberads.php", "note_ad.php", "abuse.php", "buynow.php", "confirm_newad.php", "printad.php", "note_ad.php", "showmemberads.php", and "buynow.php" scripts that do not validate the "sectio", "an", "who" and "adnr" parameters before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.
phpTRADER version 4.9 SP5 and prior
Upgrade to phpTRADER version 4.9 SP6 :
http://www.bluehouse-project.de/index.php?p=downloads&area=1
http://www.vupen.com/english/advisories/2006/2469
http://pridels.blogspot.com/2006/06/phptrader-multiple-sql-injection-vuln.html
Vulnerabilities reported by r0t
2006-06-21 : Initial release
2006-07-05 : Updated Solution
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
