Info

Disclosure

Mar 29, 2005

Discovery

Jan 01, 2001

Dates

Exploit

Jan 01, 2001

Solution

Unknown

Description

phpCOIN contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in the 'Domain Name' field when ordering a product is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

COINSoft Technologies Inc.

phpCOIN

1.2.1b

References

Security Tracker: 1013592
Bugtraq ID: 12917
Secunia Advisory ID: 14439
Related OSVDB ID: 15160 15162 15163
CVE ID: 2005-0946 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0508.html
Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00065-03292005
Vendor URL: http://www.phpcoin.com/

Credit

James Bercegay - securitygulftech.org - GulfTech Research and Development

Direct URL: http://osvdb.org/36218