| VID |
21571 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpCOIN software is vulnerable to multiple SQL injection vulnerabilities. phpCOIN is a free software package originally designed for web-hosting resellers to handle clients, orders, invoices, notes and helpdesk. phpCOIN version 1.2.2 and earlier versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input to 'search' parameter of the 'index.php' script, the 'phpcoinsessid' parameter of the 'login.php' script and the 'id', 'dtopic_id', and 'dcat_id' parameters of the 'mod.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0499.html
http://digitalparadox.org/viewadvisories.ah?view=36
* Platforms Affected:
phpCOIN versions 1.2.2 and earlier
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of May 2005
Upgrade to the latest version of phpCOIN (1.2.2 later), when new version fixed this problem becomes available from the phpCOIN Web site at http://www.phpcoin.com/index.php |
| Related URL |
CVE-2005-1384 (CVE) |
| Related URL |
13433 (SecurityFocus) |
| Related URL |
20308 (ISS) |
|
