Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpCOIN 1.2.1b Multiple Vulnerabilities

High

Synopsis

The remote web server contains a script that is vulnerable to a SQL injection attack.

Description

The remote host is running phpCOIN version 1.2.1b or older. These versions suffer from several vulnerabilities, among them :

*) Multiple SQL injection vulnerabilities. By calling the 'faq' module with a specially crafted 'faq_id' parameter or the 'pages' or 'site' modules with a specially crafted 'id' parameter, a remote attacker may be able to manipulate SQL queries used by the program, thereby revealing sensitive information or even corrupting the database.

*) Multiple cross-site scripting vulnerabilities. A remote attacker may be able to inject arbitrary code into the 'helpdesk' and 'mail' modules as well as the 'login.php' script by appending it to a valid request. Successful exploitation may allow an attacker to steal authentication cookies or misrepresent site content.

Solution

Upgrade to phpCOIN 1.2.1b if necessary and then apply the Fix File.