betaparticle blog id and fldGalleryID SQL injection

bpblog-multiple-sql-injection (25327) The risk level is classified as MediumMedium Risk

Description:

betaparticle blog (BP Blog) could allow the attacker to bypass authentication and gain unauthorized access to the application or add, modify, or delete information in the back-end database.


Consequences:

Data Manipulation

Remedy:

Upgrade to the latest version of BP Blog (6.02 or later), available from the v Web site. See References.

References:

  • betaparticle Web site: betaparticle blog > About bp blog.
  • BugTraq Mailing List, Sat Mar 18 2006 - 12:01:46 CST: Advisory: BetaParticle Blog <= 6.0 Multiple Remote SQL Injection Vulnerabilities.
  • BID-17148: BetaParticle Blog Multiple SQL Injection Vulnerabilities
  • CVE-2006-1333: Multpile SQL injection vulnerabilities in BetaParticle Blog 6.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp or (2) fldGalleryID parameter to template_gallery_detail.asp.
  • OSVDB ID: 23965: betaparticle BP Blog template_gallery_detail.asp fldGalleryID Variable SQL Injection
  • OSVDB ID: 23966: betaparticle BP Blog template_permalink.asp id Variable SQL Injection
  • SA19292: betaparticle blog SQL Injection Vulnerabilities
  • SECTRACK ID: 1015788: betaparticle blog Input Validation Bugs in `id` and `fldGalleryID` Parameters Permit SQL Injection
  • VUPEN/ADV-2006-1000: BetaParticle Blog fldGalleryID and id Parameters SQL Injection Vulnerabilities

Platforms Affected:

  • BP Blog BP Blog 6.0 and prior
  • Microsoft Windows XP Professional

Reported:

Mar 18, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page