ACP3 index.php and feeds.php SQL injection

acp3-index-feeds-sql-injection (34111) The risk level is classified as MediumMedium Risk

Description:

ACP3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php or feeds.php script using the mode, form[cat] or form[mods] parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

Platforms Affected:

  • ACP3, ACP3 4.0b3 and prior

Remedy:

No remedy available as of October 4, 2008.

Consequences:

Data Manipulation

References:

  • ACP3 Web site, ACP3 at http://acp3.goratsch-webdesign.de/pages/list/id_19/. (Web site is in German)
  • BugTraq Mailing List, Sat May 05 2007 - 11:50:06 CDT , ACP3 (v4.0b3) - Multiple Vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2007-05/0060.html.
  • BID-23834: ACP3 Multiple Input Validation Vulnerabilities
  • CVE-2007-2577: Multiple SQL injection vulnerabilities in ACP3 4.0 beta 3 allow remote attackers to execute arbitrary SQL commands via (1) the mode parameter to feeds.php, the (2) form[cat] parameter to (a) news/list/index.php or (b) certain news/details/id_*/action_create/index.php files, or (3) the form[mods][] parameter to search/list/action_search/index.php.
  • OSVDB ID: 36184: ACP3 feeds.php mode Variable SQL Injection
  • OSVDB ID: 36185: ACP3 news/list/index.php form[cat] Variable SQL Injection
  • OSVDB ID: 36186: ACP3 certain news/details/id_*/action_create/index.php form[cat] Variable SQL Injection
  • OSVDB ID: 36187: ACP3 search/list/action_search/index.php form[mods][] Variable SQL Injection

Reported:

May 05, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page