|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] DCP-Portal SQL Injection
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Thu Oct 02 2003 - 14:17:02 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
DCP-Portal SQL Injection
SECUNIA ADVISORY ID:
SA9920
VERIFY ADVISORY:
http://www.secunia.com/advisories/9920/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data, Exposure of sensitive information
WHERE:
From remote
SOFTWARE:
DCP-Portal 5.x
DESCRIPTION:
A vulnerability has been identified in DCP-Portal allowing malicious
people to conduct SQL injection.
The problem is that DCP-Portal doesn't verify input properly allowing
malicious people to include "'" in various parameters used in SQL
queries thereby manipulating the SQL query. This could be exploited
to bypass authentication, manipulate data and extract arbitrary
data.
This only affect DCP-Portal running on systems with MySQL 4 and where
"magic_quotes_gpc" is off.
This has been reported to affect version 5.5 but previous versions
may also be affected.
SOLUTION:
Configure PHP to use "magic_quotes_gpc".
REPORTED BY / CREDITS:
Lifo Fifo
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]