| VID |
21895 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The e107 Website System is vulnerable to an SQL injection vulnerability via the 'e107_cookie' cookie parameter. e107 is a freely available, Web content management system written in PHP. e107 version 0.7.2 and earlier versions are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the application-specific cookie used for authentication. If the 'magic_quotes_gpc' option is disabled, this vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself. In addition, it can also be exploited to bypass authentication.
* References:
http://www.securityfocus.com/archive/1/433938/30/0/threaded
http://secunia.com/advisories/20089/
* Platforms Affected:
e107 version 0.7.2 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of e107 (0.7.4 or later), available from the e107 Web page at http://www.e107.org |
| Related URL |
CVE-2006-2416 (CVE) |
| Related URL |
17966 (SecurityFocus) |
| Related URL |
26434 (ISS) |
|
