F-Secure Vulnerability Information : Crafty Syntax Live Help "department" SQL Injection Vulnerabilities

F-SECURE.COM

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Center » Descriptions

F-Secure Vulnerability Information : Crafty Syntax Live Help "department" SQL Injection Vulnerabilities
[Summary] \| [Detailed Description] \| [Solution] \| [CVE Reference]

SA31573

Secunia

26.08.2008

Moderate

Crafty Syntax Live Help 2.x

Compromise From:

From remote

Compromise Type:

Manipulation of data

Summary

Two vulnerabilities has been discovered in Crafty Syntax Live Help, which can be exploited by malicious people to conduct SQL injection attacks.

Back to the Top

Detailed Description

Two vulnerabilities has been discovered in Crafty Syntax Live Help, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "department" parameter in is_xmlhttp.php and is_flush.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 2.14.6. Other versions may also be affected.

Back to the Top

Solution

Update to version 2.15.0.

Back to the Top

CVE Reference

Back to the Top

F-Secure Corporation