thinkWMS printarticle.php and index.php SQL injection

thinkwms-printarticle-sql-injection (27270) The risk level is classified as MediumMedium Risk

Description:

thinkWMS is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the printarticle.php script using the 'id' parameter or to the index.php script using the 'catid' or 'id' parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.


Consequences:

Data Manipulation

Remedy:

No remedy available as of July 9, 2011.

References:

  • thinkfactory Web site: thinkWMS-das Wissens-Management-FAQ-System fur Fragen und Antworten.
  • UNSECURED SYSTEMS Wednesday, June 21, 2006: thinkWMS SQL injection vuln..
  • BID-18567: thinkWMS Multiple SQL Injection Vulnerabilities
  • CVE-2006-3236: Multiple SQL injection vulnerabilities in thinkWMS 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in (a) index.php or (b) printarticle.php, and the (2) catid parameter in index.php.
  • OSVDB ID: 26742: thinkWMS index.php Multiple Variable SQL Injection
  • OSVDB ID: 26743: thinkWMS printarticle.php id Variable SQL Injection
  • SA20747: thinkWMS Multiple SQL Injection Vulnerabilities
  • SECTRACK ID: 1016355: thinkWMS Input Validation Flaws in the `id` and `catid` Parameters Let Remote Users Inject SQL Commands
  • VUPEN/ADV-2006-2470: thinkWMS id and catid Parameters Handling Remote SQL Injection Vulnerabilities

Platforms Affected:

  • thinkfactory thinkWMS 1.0 and prior

Reported:

Jun 21, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page