phpCOIN 1.2.1b Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 2663


The remote web server contains a script that is vulnerable to a SQL injection attack.


The remote host is running phpCOIN version 1.2.1b or older. These
versions suffer from several vulnerabilities, among them :

*) Multiple SQL injection vulnerabilities.
By calling the 'faq' module with a specially crafted
'faq_id' parameter or the 'pages' or 'site' modules with a
specially crafted 'id' parameter, a remote attacker may be
able to manipulate SQL queries used by the program, thereby
revealing sensitive information or even corrupting the

*) Multiple cross-site scripting vulnerabilities.
A remote attacker may be able to inject arbitrary code
into the 'helpdesk' and 'mail' modules as well as the
'login.php' script by appending it to a valid request.
Successful exploitation may allow an attacker to steal
authentication cookies or misrepresent site content.


Upgrade to phpCOIN 1.2.1b if necessary and then apply the Fix File.

See Also

Plugin Details

Severity: High

ID: 2663

Family: CGI

Published: 2005/03/02

Modified: 2018/09/16

Dependencies: 1442

Nessus ID: 17246

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND


Base Score: 7.3

Temporal Score: 7.1


Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:coinsoft_technologies:phpcoin

Reference Information

CVE: CVE-2005-0669, CVE-2005-0670, CVE-2005-0932, CVE-2005-0933, CVE-2005-0946, CVE-2005-0947

BID: 12686, 12917