Info

Disclosure

Nov 07, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OcoMon contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the unspecified scripts not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the backend database. No further details have been provided.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.21 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. However, even with the upgrade to 1.21, Secunia Research has found that SQL injection still exists in the logon page when "magic_quotes_gpc" is disabled.

Products

Ocomonphp	Ocomon	1.2
		1.0
		1.1

References

Bugtraq ID: 15386
Secunia Advisory ID: 17470
CVE ID: 2005-4662 (see also: NVD) 2005-4664 (see also: NVD)
ISS X-Force ID: 23085
Vendor URL: http://ocomonphp.sourceforge.net/index.php
Packet Storm: http://packetstormsecurity.org/0511-advisories/sa17470.txt
Other Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=369163

Credit

OCOMON - OCOMON

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Ocomonphp

Ocomon

References

Credit