Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE-request: phxEventManager search.php search_terms Parameter SQL Injection
From: Henri Salo <henri () nerv fi>
Date: Tue, 6 Mar 2012 09:06:59 +0200

Can we assign 2012 CVE-identifier for this vulnerability?

http://www.osvdb.org/show/osvdb/79738

"phxEventManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to 
the search.php script not properly sanitizing user-supplied input to the 'search_terms' parameter. This may allow an 
attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of 
arbitrary data."

Original report: http://seclists.org/fulldisclosure/2012/Mar/4
Vendor report: http://sourceforge.net/tracker/?func=detail&atid=697109&aid=3496086&group_id=123602

- Henri Salo


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]