phpCOIN 1.2.1b Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 2663
SynopsisThe remote web server contains a script that is vulnerable to a SQL injection attack.
DescriptionThe remote host is running phpCOIN version 1.2.1b or older. These
versions suffer from several vulnerabilities, among them :
*) Multiple SQL injection vulnerabilities.
By calling the 'faq' module with a specially crafted
'faq_id' parameter or the 'pages' or 'site' modules with a
specially crafted 'id' parameter, a remote attacker may be
able to manipulate SQL queries used by the program, thereby
revealing sensitive information or even corrupting the
*) Multiple cross-site scripting vulnerabilities.
A remote attacker may be able to inject arbitrary code
into the 'helpdesk' and 'mail' modules as well as the
'login.php' script by appending it to a valid request.
Successful exploitation may allow an attacker to steal
authentication cookies or misrepresent site content.
SolutionUpgrade to phpCOIN 1.2.1b if necessary and then apply the Fix File.