Vulnerability CVE-2011-1546


Published: 2011-04-04   Modified: 2012-02-13

Description:
Multiple SQL injection vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.3 allow remote attackers to execute arbitrary SQL commands via the s parameter to (1) a_viewusers.php or (2) keysearch.php; and allow remote authenticated administrators to execute arbitrary SQL commands via the (3) id or (4) start parameter to pending.php, or the (5) aid parameter to a_authordetails.php. NOTE: some of these details are obtained from third party information.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Andy\'s PHP Knowledgebase 0.95.2 (viewusers.php) SQL Injection
Mark Stanislav
05.04.2011

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: Aphpkb
Product: Aphpkb 
Version:
0.95.2
0.95.1
0.95
0.94.9
0.94.8
0.94.7
0.94.6
0.94.5
0.94.4
0.94.3
0.94.2
0.94.1
0.93.9
0.93.8
0.93.7
0.93.6
0.93.5
0.93.4
0.93.3
0.93.2
0.93.1
0.92.9
0.92.8
0.92.7
0.92.6
0.92.5
0.92.4
0.92.3
0.92.2
0.92.1
0.92
0.91
0.9
0.89
0.88.8
0.88.7
0.88.6
0.88.5
0.88
0.87
0.86
0.85
0.84
0.83
0.82
0.81
0.80
0.79
0.78
0.77
0.76
0.75
0.74
0.73
0.72
0.71
0.70
0.67
0.66
0.65
0.64
0.63
0.62
0.61
0.6
0.59
0.58
0.57
0.56
0.55
0.54
0.53
0.52
0.51
0.5
0.45
0.44
0.43
0.42
0.41
0.4
0.39
0.38
0.371
0.361
0.35
0.33
0.31
0.3
0.21
0.2
0.1

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://aphpkb.blogspot.com/2011/03/this-release-includes-security-fixes.html
http://securityreason.com/securityalert/8168
http://securityreason.com/securityalert/8172
http://www.exploit-db.com/exploits/17084/
http://www.securityfocus.com/archive/1/517261/100/0/threaded
http://www.securityfocus.com/bid/47097
http://www.uncompiled.com/2011/03/cve-2011-1546/
http://www.vupen.com/english/advisories/2011/0802
https://exchange.xforce.ibmcloud.com/vulnerabilities/66500

Related CVE
CVE-2013-7289
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name, (2) last_name, (3) email, or (4) username par...
CVE-2013-7277
Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP Referer header to saa.php, (2) username parameter to login.php, or (...
CVE-2011-1556
SQL injection vulnerability in plugins/pdfClasses/pdfgen.php in Andy's PHP Knowledgebase (Aphpkb) 0.95.4 allows remote attackers to execute arbitrary SQL commands via the pdfa parameter.
CVE-2011-1555
SQL injection vulnerability in saa.php in Andy's PHP Knowledgebase (Aphpkb) 0.95.3 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter, a different vulnerability than CVE-2011-1546. NOTE: some of these details...
CVE-2008-6513
Unrestricted file upload vulnerability in saa.php in Andy's PHP Knowledgebase (aphpkb) 0.92.9 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a link that is listed by authors.p...

Copyright 2019, cxsecurity.com

 

Back to Top