| VID |
21420 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The AntiBoard has an 'antiboard.php' script SQL Injection Vulnerability.
AntiBoard is a PHP bulletin board software package. AntiBoard 0.7.2 and earlier are vulnerable to a SQL Injection attack, caused by a failure of the application to properly sanitize user-supplied URI data prior to including it in an SQL query. By sending a specially-crafted request to the 'antiboard.php' script containing embedded SQL commands in the 'thread_id' and 'parent_id' parameter, a remote attacker could obtain sensitive information and add, modify or delete data in the backend database.
* References:
http://securitytracker.com/alerts/2004/Jul/1010803.html
http://www.osvdb.org/displayvuln.php?osvdb_id=8269
* Platforms Affected:
Resynthesize, AntiBoard 0.7.2 and earlier
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of December 2004.
Upgrade to the new version of AntiBoard, when new version fixed this problem becomes available from the AntiBoard Web Site at http://www.resynthesize.com/code/antiboard_info.php |
| Related URL |
CVE-2004-2062 (CVE) |
| Related URL |
10821 (SecurityFocus) |
| Related URL |
16828 (ISS) |
|
