| VID |
21592 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of OpenBB which is older than version 1.0.9 is detected as installed on the host. OpenBB is a forum management system written in PHP. OpenBB versions prior to 1.0.9 could are vulnerable to multiple input validation vulnerabilities, which can be exploited by remote attackers to conduct cross-site scripting and SQL injection attacks:
1) A cross-site scripting vulnerability in the member.php script can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
2) An SQL injection vulnerability in the read.php script can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
* Note: This check solely relied on the version number of the OpenBB installed on the remote web server to assess this vulnerability, so this might be a false positive.
* References:
http://securityfocus.com/archive/1/398162
* Platforms Affected:
Iansoft Enterprises, OpenBB versions prior to 1.0.9
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of OpenBB (1.0.9 or later), available from the OpenBB Web site at http://www.openbb.com/ |
| Related URL |
CVE-2005-1612 (CVE) |
| Related URL |
13624,13625 (SecurityFocus) |
| Related URL |
20595 (ISS) |
|
