New Advisory: X-script GuestBook

New Advisory:
X-script GuestBook
http://www.security-news.ws

--------------------Summary----------------
Software: x-script GuestBook
Sowtware's Web Site: http://x-script.net.ru Versions: 1.3a
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
PoC/Exploit: Not Available
Solution: Not Available
Discovered by: Security-news.ws

-----------------Description---------------
1. SQL Injection.

Vulnerable script: mes_add.php

Parameters 'name', 'email', 'icq', 'website' is not properly sanitized before being used in SQL query. This can be used to make SQL queries by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

--------------PoC/Exploit----------------------
Waiting for developer(s) reply.

--------------Solution---------------------
No Patch available.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

--------------Credit-----------------------
Discovered by: security-news.ws Received on Mon Oct 1 14:44:18 2007