| VID |
21933 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The miniBB, according to its version number, has an SQL injection vulnerability in the 'user' parameter. miniBB is a freely available forum management system written by PHP. miniBB versions prior to 1.7f are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'user' parameter of the 'index.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* Note: This check solely relied on the version number of miniBB on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securitytracker.com/alerts/2004/Nov/1012164.html
* Platforms Affected:
Paul Puzyrev and Sergei Larionov, miniBB versions prior to 1.7f
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of miniBB (1.7f or later), available from the miniBB Download Web site at http://www.minibb.net/download.html |
| Related URL |
CVE-2004-2456 (CVE) |
| Related URL |
11688 (SecurityFocus) |
| Related URL |
18080 (ISS) |
|
