###############################################
Vuln. discovered by : r0t
Date: 21 June 2007
vendor:http://phpaccounts.com/
affected versions: PHPAccounts 0.5
other versions also can be affected.
###############################################
1.Local file inclussion
PHPAccounts contains a flaw that allows a Local file inclusion attacks.Input passed to the "page" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
2. SQL Injection
PHPAccounts contains a flaw that allows a remote sql injection attacks.Input passed to the "Outgoing_Type_ID","Outgoing_ID","Project_ID","Client_ID","Invoice_ID","Vendor_ID" parameter in "index.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment