Title: Advanced Guestbook Password Parameter SQL Injection Vulnerability
Severity: HIGH
Description:
Advanced Guestbook is a guestbook script written in PHP.
It has been reported that Advanced Guestbook is prone to a vulnerability that may allow malicious users to influence SQL queries of the affected application. This issue is due to a failure of the application to properly sanitize user-supplied URI data.
The problem is reported to present itself when malicious SQL statements are passed through the password field of the script during authentication. Reportedly, a successful attack allows an attacker to gain administrative access to the vulnerable application. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.
This issue is reported to exist in Advanced Guestbook 2.2, however, it is possible that other versions are affected as well.
Affected Products:
- Advanced Guestbook Advanced Guestbook 2.2.0
References:
- Advanced Guestbook: Advanced Guestbook Homepage
- SecurityTracker: Advanced Guestbook Input Validation Hole in Password String Permits SQL Injectio
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
