Test ID:	1.3.6.1.4.1.25623.1.0.20170
Category:	Web application abuses
Title:	phpWebThings forum Parameter SQL Injection Vulnerabilities
Summary:	The version of phpWebThings installed on the remote host does not; properly sanitize user input in the 'forum' and 'msg' parameters of 'forum.php' script before using; it in database queries.
Description:	Summary: The version of phpWebThings installed on the remote host does not properly sanitize user input in the 'forum' and 'msg' parameters of 'forum.php' script before using it in database queries. Vulnerability Impact: An attacker can exploit this vulnerability to display the usernames and passwords (md5 hash) from the website and then use this information to gain administrative access to the affected application. Solution: Apply the phpWebthings 1.4 forum patch referenced in the third URL above. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-3585 BugTraq ID: 15277 http://www.securityfocus.com/bid/15277 Bugtraq: 20051105 XSS & SQL injection in phpWebThing (Google Search) http://marc.info/?l=bugtraq&m=113122187101383&w=2 Bugtraq: 20051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities (Google Search) http://www.securityfocus.com/archive/1/419280/100/0/threaded http://glide.stanford.edu/yichen/research/sec.pdf http://www.osvdb.org/20441 http://secunia.com/advisories/17410/ XForce ISS Database: phpwebthings-forum-sql-injection(22972) https://exchange.xforce.ibmcloud.com/vulnerabilities/22972 Common Vulnerability Exposure (CVE) ID: CVE-2005-4218 BugTraq ID: 15465 http://www.securityfocus.com/bid/15465 https://www.exploit-db.com/exploits/1324 http://rgod.altervista.org/phpwebth14_xpl.html
Copyright	Copyright (C) 2005 Ferdy Riphagen

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.