MDPro referer header SQL injection
| mdpro-refererheader-sql-injection (36871) |  Medium Risk |
Description:
MDPro is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script when processing the referer HTTP header, which could allow the attacker to view, add, modify or delete information in the back-end database.
Platforms Affected:
- MAXdev, MDPro prior to 1.0.82
Remedy:
Upgrade to the latest version of MDPro (1.0.82 or later), available from the MAXdev Web site. See References.
Consequences:
Data Manipulation
References:
- MAXdev Web site, MAXdev - MDPro the most easy to use and feature rich GPL CMS at http://www.maxdev.com/index.phtml.
- BID-25864: MD-Pro Index.PHP Firefox ID SQL Injection Vulnerability
- CVE-2007-5222: SQL injection vulnerability in index.php in MAXdev MDPro (MD-Pro) 1.0.76 allows remote attackers to execute arbitrary SQL commands via a Firefox ID= substring in a Referer HTTP header.
- FrSIRT/ADV-2007-3314: MAXdev MD-Pro referer HTTP Header Remote SQL Injection Vulnerability
Reported:
Sep 29, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net