Security Database IT Watching - Alert Detail

INFORMATION

Name	:	CVE-2008-5335	First Publication	:	2008-12-04
Severity	:	Medium	Last Modification	:	2009-01-29

SCORING CVSS v2

Cvss Base Score	:	6.8	Attack Range	:	Network
Cvss Impact Score	:	6.4	Attack Complexity	:	Medium
Cvss Expoit Score	:	8.6	Authentification	:	None Required
Calculate full CVSS 2.0 Vectors scores

DETAIL

SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.

CWE COMMON WEAKNESS ENUMERATION

Weakness : CWE-89 - Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (From NVD)

CPE COMMON PLATFORM ENUMERATION (from NVD)

Application : Php-Fusion Php-Fusion (2)
- cpe:/a:php-fusion:php-fusion:6.01.15
- cpe:/a:php-fusion:php-fusion:7.00.1

MILW0RM EXPLOITS

7173 : PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit.

OPEN SOURCE VULNERABILTY DATABASE (OSVDB)

50065 : PHP-Fusion messages.php Multiple Parameter SQL Injection.

SECONDARY(S) SOURCE(S)

Source : BID
Url : http://www.securityfocus.com/bid/32388

Source : CONFIRM
Url : http://www.php-fusion.co.uk/downloads.php?cat_id=19
Url : http://www.php-fusion.co.uk/news.php?readmore=435
Url : http://www.php-fusion.co.uk/news.php?readmore=436

Source : MILW0RM
Url : http://www.milw0rm.com/exploits/7173

Source : OSVDB
Url : http://osvdb.org/50065

Source : SECUNIA
Url : http://secunia.com/advisories/32781

Source : SREASON
Url : http://securityreason.com/securityalert/4688

Source : VUPEN
Url : http://www.frsirt.com/english/advisories/2008/3248

Source : XF
Url : http://xforce.iss.net/xforce/xfdb/46760