Info

Last Modified

2 months ago

Percent Complete

80%

Disclosure

Jul 21, 2008

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Keywords

JOBBEX, SQLi, information disclosure

Description

JOBBEX JobSite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search_result.cfm script not properly sanitizing user-supplied input to the "jobcountryid" and "jobstateid" variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: No Solution
OSVDB: Web Related

Technical

Additionally, if a failed query is performed, the program will disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Avidweb has released a patch to address this vulnerability.

Products

Unknown or Incomplete

References

CVE ID: 2008-3341 (see also: NVD)
Bugtraq ID: 30302
Secunia Advisory ID: 31089
ISS X-Force ID: 43914
Related OSVDB ID: 47083
Other Advisory URL: http://holisticinfosec.org/content/view/78/45/
Vendor Specific Solution URL: http://support.avidwebtech.com/index.php?_m=news&_a=viewnews&newsid=4

Credit

Russ McRee - holisticinfosec.org

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches