Info

Disclosure

Aug 18, 2002

Discovery

Jun 17, 2002

Dates

Exploit

Unknown

Solution

Unknown

Description

FUDforum contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in the 'report.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 2.2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Ilia Alshanetsky

FUDforum

2.0.2

References

Related OSVDB ID: 10115 10116
CVE ID: 2002-1421 (see also: NVD)
Bugtraq ID: 5500
ISS X-Force ID: 9912
Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0082.html
Vendor URL: http://fud.prohost.org/

Credit

Ulf Härnhammar - Ulf.Harnhammar.9485student.uu.se -

Direct URL: http://osvdb.org/36218