Virtual War war.php SQL injection

virtualwar-war-sql-injection (27153) The risk level is classified as MediumMedium Risk

Description:

Virtual War (VWar) is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the war.php script using the s, showgame, sortorder, sortby or page parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.


Consequences:

Data Manipulation

Remedy:

No remedy available as of July 9, 2011.

References:

  • BugTraq Mailing List, Thu Aug 03 2006 - 01:16:55 CDT: Vwar v1.5.0 <= Sql Injection and XSS vuln..
  • UNSECURED SYSTEMS 06/15/2006: Virtual War multiple SQL inj. vuln..
  • Vwar-Virtual War Web site: VWar 1.5.0 R14.
  • BID-19327: VWar Multiple Input Validation Vulnerabilities
  • BID-27772: REITRED: VWar 'war.php' Multiple SQL Injection Vulnerabilities
  • CVE-2006-3139: Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.
  • CVE-2006-4010: SQL injection vulnerability in war.php in Virtual War (Vwar) 1.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: other vectors are covered by CVE-2006-3139.
  • CVE-2006-4225: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-3139. Reason: This candidate is a duplicate of CVE-2006-3139. Notes: All CVE users should reference CVE-2006-3139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
  • OSVDB ID: 26533: Virtual War (Vwar) war.php Multiple Variable SQL Injection
  • SA20696: Virtual War "war.php" Cross-Site Scripting and SQL Injection
  • VUPEN/ADV-2006-2383: Virtual War war.php Multiple Variable Handling Remote SQL Injection Vulnerabilities

Platforms Affected:

  • vwar.biz Virtual War 1.5.0 R12 and prior

Reported:

Jun 15, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page