CVE-2005-4226 Information

Description

Multiple \potential\ SQL injection vulnerabilities in phpWebThings 1.4 Patched might allow remote attackers to execute arbitrary SQL commands via (1) the ref parameter in download.php (2) the direction msg sforum reason subname and toform parameters in forum.php (3) the msg and forum parameters in forum_edit.php (4) the msg and forum parameters in forum_write.php (5) the tekst parameter in guestbook.php (6) the menuoption parameter in index.php and the (7) sel_avatar parameter in myaccount.php. NOTE: the forum.php/forum vector is already identified by CVE-2005-3585.

Reference

http://glide.stanford.edu/yichen/research/sec.pdf http://secunia.com/advisories/18011/ http://www.osvdb.org/21650 http://www.osvdb.org/21651 http://www.osvdb.org/21652 http://www.osvdb.org/21653 http://www.osvdb.org/21654 http://www.osvdb.org/21655 http://www.osvdb.org/21656 http://www.securityfocus.com/archive/1/419280/100/0/threaded http://www.securityfocus.com/archive/1/419487/100/0/threaded http://www.vupen.com/english/advisories/2005/2860 https://exchange.xforce.ibmcloud.com/vulnerabilities/23565