| VID |
21928 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The LifeType is vulnerable to an SQL injection vulnerability via the 'date' parameter. LifeType is an open-source blogging platform written in PHP. articleId versions prior to 1.0.6 are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'date' parameter of the 'index.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.digitalsec.es/stuff/explt+advs/LifeType.txt
* Platforms Affected:
LifeType versions prior to 1.0.6
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of LifeType (1.0.6 or later), available from the LifeType Web site at http://www.lifetype.net/ |
| Related URL |
CVE-2006-3577 (CVE) |
| Related URL |
18835 (SecurityFocus) |
| Related URL |
(ISS) |
|
