Bitweaver list_pages and index.php SQL injection
| bitweaver-listpages-index-sql-injection (38943) |  Medium Risk |
Description:
Bitweaver is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the list_pages.php or index.php script using the sort_mode and the highlight parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Platforms Affected:
- Bitweaver, Bitweaver 2.0.0 and prior
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Data Manipulation
References:
- Bitweaver Web site, welcome to bitweaver.org at http://www.bitweaver.org.
- Hackers Center Web site, [HSC] Bitweaver Cross-Site Scripting & SQL Injection Vulnerability at http://www.hackerscenter.com/archive/view.asp?id=28129.
- BID-26801: Bitweaver 2.0.0 and Prior Multiple Input Validation Vulnerabilities
- CVE-2007-6375: Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue.
Reported:
Dec 09, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net