| VID |
21923 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The LifeType is vulnerable to an SQL injection vulnerability via the articleId parameter. LifeType is an open-source blogging platform written in PHP. articleId versions prior to 1.0.5 are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'articleId' parameter of the 'index.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.lifetype.net/blog.php/lifetype_development_journal/2006/06/04/important_security_upgrade_lifetype_1.0.5_released
http://www.securityfocus.com/archive/1/435874/30/0/threaded
http://www.frsirt.com/english/advisories/2006/2120
http://secunia.com/advisories/20460
* Platforms Affected:
LifeType versions prior to 1.0.5
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of LifeType (1.0.5 or later), available from the LifeType Web site at http://www.lifetype.net/ |
| Related URL |
CVE-2006-2857 (CVE) |
| Related URL |
18264 (SecurityFocus) |
| Related URL |
26916 (ISS) |
|
