FlexCustomer login SQL injection

flexcustomer-login-sql-injection (26323) The risk level is classified as MediumMedium Risk

Description:

FlexCustomer is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to admin/index.php and index.php scripts using the 'username' or 'password' parameter, which could allow the attacker to bypass authentication or view, add, modify, or delete information in the back-end database.

Platforms Affected:

  • China-on-site, Flexcustomer 0.0.4 and prior

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Data Manipulation

References:

  • BugTraq Mailing List, Sat May 06 2006 - 07:54:58 CDT, FlexCustomer <= 0.0.4 sql injection at http://archives.neohapsis.com/archives/bugtraq/2006-05/0106.html.
  • HotScripts.com, PHP :: User Management :: Flexcustomer at http://www.hotscripts.com/Detailed/25331.html.
  • BID-17864: Flexcustomer Login SQL Injection Vulnerability
  • CVE-2006-2268: SQL injection vulnerability in FlexCustomer 0.0.4 and earlier allows remote attackers to bypass authentication and execute arbitrary SQL commands via the admin and ordinary user interface, probably involving the (1) checkuser and (2) checkpass parameters to (a) admin/index.php, and (3) username and (4) password parameters to (b) index.php. NOTE: it was later reported that 0.0.6 is also affected.
  • OSVDB ID: 25342: Flexcustomer index.php Multiple Variable SQL Injection
  • OSVDB ID: 25343: Flexcustomer /admin/index.php Multiple Variable SQL Injection
  • SA20016: Flexcustomer Login SQL Injection Vulnerability
  • VUPEN/ADV-2006-1690: Flexcustomer Multiple Parameter Handling Remote SQL Injection Vulnerabilities

Reported:

May 06, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page