| VID |
210094 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WordPress program is vulnerable to an SQL injection vulnerability via the adclick.php script in the AdServe plugin. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress Adserve plugin for WordPress version 0.2 and other versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'id' parameter of the 'adclick.php' script. Regardless of PHP's 'magic_quotes_gpc' setting, a remote attacker could exploit this vulnerability to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.milw0rm.com/exploits/5013
http://www.frsirt.com/english/advisories/2008/0364
http://secunia.com/advisories/28708
* Platforms Affected:
WordPress Adserve plugin for WordPress version 0.2 and other versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Coppermine Photo Gallery (1.4.15 or later), available from the Coppermine Photo Gallery Web site at http://coppermine.sourceforge.net
-- OR --
As a workaround, reconfigure the application to use GD as its graphics library, which is the default. |
| Related URL |
CVE-2008-0506 (CVE) |
| Related URL |
27512 (SecurityFocus) |
| Related URL |
40058 (ISS) |
|
