Softbiz Web Hosting Directory Script multiple SQL injections

softbiz-whds-multiple-sql-injection (23208) The risk level is classified as MediumMedium Risk

Description:

Softbiz Web Host Directory Script is vulnerable to SQL injection. A remote attacker could send a specially-crafted request to the search_result.php, browsecats.php, review.php, or email.php scripts containing embedded SQL commands in the cid, sbres_id and h_id parameters which would allow the attacker to add, modify, or delete data in the back-end database, and possibly execute arbitrary code on the system.


Consequences:

Data Manipulation

Remedy:

No remedy available as of July 9, 2011.

References:

  • Softbiz Web Hosting Directory Script Web site: Web hosting directory SCRIPT PHP web host directory script web hosting directory comparision script.
  • BID-15561: Softbiz Web Host Directory Script Multiple SQL Injection Vulnerabilities
  • CVE-2005-3817: Multiple SQL injection vulnerabilities in Softbiz Web Host Directory Script 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter in search_result.php, (2) sbres_id parameter in review.php, (3) cid parameter in browsecats.php, (4) h_id parameter in email.php, and (5) an unspecified parameter to the search module.
  • OSVDB ID: 21079: Softbiz Web Host Directory search_result.php cid Variable SQL Injection
  • OSVDB ID: 21080: Softbiz Web Host Directory review.php sbres_id Variable SQL Injection
  • OSVDB ID: 21081: Softbiz Web Host Directory browsecats.php cid Variable SQL Injection
  • OSVDB ID: 21082: Softbiz Web Host Directory email.php h_id Variable SQL Injection
  • OSVDB ID: 21083: Softbiz Web Host Directory Search Engine SQL Injection
  • SA17724: Softbiz Web Host Directory Script SQL Injection Vulnerabilities
  • VUPEN/ADV-2005-2557: Softbiz Web Hosting Directory Script SQL Injection Vulnerabilities

Platforms Affected:

  • SoftbizScripts Softbiz Web Hosting Directory Script 1.1

Reported:

Nov 23, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page