Ultimate PHP Board ViewForum.PHP SQL注入漏洞-安全小百科

Ultimate PHP Board ViewForum.PHP SQL注入漏洞

漏洞ID	1108780	漏洞类型	SQL注入
发布时间	2005-05-13	更新时间	2005-10-20
CVE编号	CVE-2005-1615	CNNVD-ID	CNNVD-200505-1072
漏洞平台	PHP	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/25655
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1072

|漏洞详情

UltimatePHPBoard(UPB)1.8至1.9.6版本中的viewforum.php可允许远程攻击者通过postorder参数(textdb.inc.php没有正确处理此参数)来读取敏感信息。可能由于SQL注入漏洞。

|漏洞EXP

source: http://www.securityfocus.com/bid/13622/info

Ultimate PHP Board is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. 

http://www.example.com/forum/viewforum.php?id=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%7
5%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C

|参考资料

来源:BID
名称:13622
链接:http://www.securityfocus.com/bid/13622
来源:BUGTRAQ
名称:20050513UltimatePHPBoard(UPB)SecurityAdvisory
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111600262424876&w;=2

相关推荐: DWC_Articles Multiple Unspecified SQL Injection Vulnerabilities

DWC_Articles Multiple Unspecified SQL Injection Vulnerabilities 漏洞ID 1097789 漏洞类型 Input Validation Error 发布时间 2004-10-23 更新时间 2004…

文章版权归作者所有，未经允许请勿转载。

THE END