OpenBB index.php CID Parameter SQL Injection
High Nessus Plugin ID 11550
SynopsisThe remote web server has an application that is affected by a SQL injection vulnerability.
DescriptionThe remote host seems to be running OpenBB, a forum management system.
There is a bug which allows an attacker to inject SQL command when passing a single quote (') to the CID argument of the file index.php, as in : GET /index.php?CID='<sql query>
An attacker may use this flaw to gain credentials or to modify your database.
SolutionIf the remote host is running OpenBB, upgrade to the latest version