by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

AltantisFAQ SQL inj. vuln.

Atlantis GPL Knowledge Base Software SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://atlantisfaq.com/
affected version:3.0 and prior

Product Description:

Atlantis FAQ (AltantisFAQ) Free Knowledge Base FAQ Software. Atlantis Knowledge base is a easy to use, customizable php driven web application aimed and providing organizations with the ability to generate text rich documents through a WYSIWYG Interface. Publishers register and then create documents. Documents then can be searched, or display the most recent 10 documents which were submitted to the KB. You may also view all of the documents at once in the knowledge base. This application is highly customizable, and totally free.

Vuln. description:

Input parameters in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew