|
|
|
>> ClassSystem "teacher_id" Parameter Remote SQL Injection Vulnerability
|
A vulnerability has been identified in ClassSystem, which could be exploited by attackers to manipulate and inject SQL queries. This issue is caused by input validation errors in the "HomepageTop.php", "HomepageMain.php" and "MessageReply.php" scripts when processing the "teacher_id" parameter, which could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information.
An input validation error has also been reported in the "ApplyDB.php" script when handling uploaded files, which could be exploited by malicious authenticated users to upload malicious PHP scripts.
Affected Products
ClassSystem version 2.3 and prior
Solution
VUPEN Security is not aware of any vendor-supplied patch.
References
http://www.vupen.com/english/advisories/2008/1664
http://www.chroot.org/exploits/chroot_uu_005
Credits
Vulnerabilities reported by unohope.
ChangeLog
2008-05-27 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
 |
