ISS X-Force Database: magicforumpersonal-viewforum-sql-injection(23514): Magic Forum Personal view

Magic Forum Personal view_forum.cfm SQL injection

magicforumpersonal-viewforum-sql-injection (23514)

Medium Risk

Description:

Magic Forum Personal is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the view_forum.cfm script using the ForumID, Thread or ThreadID parameters which would allow the attacker to add, modify or delete information in the back-end database.

Platforms Affected:

CFMagic, Magic Forum Personal 2.5 and prior

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Data Manipulation

References:

CFMagic The Best in ColdFusion Applications, Magic Forum Personal - Product Details at https://www.cfmagic.com/products/magicforumper.cfm.
UNSECURED SYSTEMS 12/7/2005, Magic Forum Personal SQL&XSS vuln. at http://pridels.blogspot.com/2005/12/magic-forum-personal-sqlxss-vuln.html.
BID-15774: CFMagic Multiple Products Input Validation Vulnerabilities
CVE-2005-4071: Multiple SQL injection vulnerabilities in CFMagic Magic Forum Personal 2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ForumID parameter in view_forum.cfm, and (2) ForumID, (3) Thread, and (4) ThreadID parameters in view_thread.cfm.
CVE-2005-4073: SQL injection vulnerability in view_archive.cfm in CFMagic Magic List Pro 2.5 allows remote attackers to execute arbitrary SQL commands via the ListID parameter.
OSVDB ID: 21501: Magic Forum Personal view_forum.cfm ForumID Variable SQL Injection
OSVDB ID: 21502: Magic Forum Personal view_thread.cfm Multiple Variable SQL Injection
OSVDB ID: 21504: Magic List Pro view_archive.cfm ListID Variable SQL Injection
SA17935: Magic Forum Personal Cross-Site Scripting and SQL Injection
SA17937: Magic List Pro "ListID" SQL Injection Vulnerability
VUPEN/ADV-2005-2793: Magic List Pro ListID Parameter Remote SQL Injection Vulnerability
VUPEN/ADV-2005-2794: Magic Forum Personal SQL Injection and Cross Site Scripting Issues

Reported:

Dec 06, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page