| VID |
21825 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP Surveyor is vulnerable to an SQL injection vulnerability via the sid parameter. PHP Surveyor is a set of PHP scripts used to develop, publish online Surveys and collect responses from Surveys. PHP Surveyor version 0.99 and earlier versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of input passed to the sid parameter of various scripts. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.phpsurveyor.org/mantis/view.php?id=286
http://sourceforge.net/project/shownotes.php?release_id=381050&group_id=74605
http://secunia.com/advisories/18167/
* Platforms Affected:
phpSurveyor, PHP Surveyor version 0.99 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP Surveyor (0.991 or later), available from the phpSurveyor Web site at http://phpsurveyor.org/ |
| Related URL |
CVE-2005-4586 (CVE) |
| Related URL |
16077 (SecurityFocus) |
| Related URL |
23890 (ISS) |
|
