| VID |
21841 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Geeklog program is vulnerable to an SQL injection vulnerability in the comment.php script. Geeklog is an open-source Web log software written in PHP and MySQL. Geeklog version 1.3.11 and earlier versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'order' parameter of the 'comment.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.hardened-php.net/advisory-062005.php
http://secunia.com/advisories/15914/
* Platforms Affected:
Geeklog version 1.3.11 and earlier versions
Linux Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of Geeklog (1.3.11.sr1 or later), available from the Geeklog Web site at http://www.geeklog.net/filemgmt/viewcat.php?cid=8 |
| Related URL |
CVE-2005-2152 (CVE) |
| Related URL |
14143 (SecurityFocus) |
| Related URL |
21287 (ISS) |
|
