| VID |
210008 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The X7 Chat Program is vulnerable to an SQL injection vulnerability via the 'old_prefix' parameter. X7 Chat is free, open source and web based chatting software written in PHP. X7 Chat version 2.0.4 and earlier versions are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'old_prefix' parameter of the 'upgradev1.php' script before using it in a database query. If the 'magic_quotes_gpc' option is disabled, this vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.milw0rm.com/exploits/2068
http://www.frsirt.com/english/advisories/2006/2941
* Platforms Affected:
X7 Group, X7 Chat version 2.0.4 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of Nov 2006.
Upgrade to the latest version of X7 Chat, when new version fixed this problem becomes available from the X7 Chat Web site at http://x7chat.com/
As a workaround, disable PHP's 'magic_quotes_gpc' setting. |
| Related URL |
CVE-2006-3851 (CVE) |
| Related URL |
19123 (SecurityFocus) |
| Related URL |
27921 (ISS) |
|
