| VID |
21659 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHPNews software is vulnerable to an SQL injection vulnerability in the "auth.php" script. PHPNews is an open source news content manager written in PHP. PHPNews version 1.2.6 and possibly earlier versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the "user" and "password" parameters of the "auth.php" script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.securityfocus.com/archive/1/405768
* Platforms Affected:
SourceForge.net, PHPNews version 1.2.6 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of August 2005.
Upgrade to the latest version of PHPNews (greater than 1.2.6), when new fixed version becomes available from the SourceForge.net Web Download page at http://newsphp.sourceforge.net/downloads.php |
| Related URL |
CVE-2005-2383 (CVE) |
| Related URL |
14333 (SecurityFocus) |
| Related URL |
(ISS) |
|
