OpenBB contains a flaw that allows a remote SQL injection attack. This flaw exists because the application does not validate the CID variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Classification
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure,
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Technical
This issue appears to have been discovered independantly many months apart by two individuals.
Solution
Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBB has released a patch to address this vulnerability.
planet.nl - Personal Page