HTTP: LokwaBB Private Message Disclosure (3)

This signature detects attempts to exploit a known vulnerability in the LokwaBB Web application, a Web bulletin board based on PHP and MySQL. Versions 1.2.2 and prior are vulnerable. Attackers can retrieve private messages not addressed to them.

Extended Description

Lokwa BB is a freely available message board forum. Versions of Lokwa are subject to SQL injection attacks. Lokwa BB does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in an SQL query. As a result, attackers may be able to modify SQL queries performed by the application. The disclosure of sensitive information may be possible. Under some circumstances, reports indicate that it may be possible to access and reply to arbitrary private messages. This issue has been reported in the 'member.php', 'misc.php' and 'pm.php' scripts.

Affected Products

Lokwa lokwa_bb

Short Name
HTTP:PHP:LOKWABB-PRIVM3
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
(3) Disclosure LokwaBB Message Private bid:4981
Release Date
04/22/2003
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3336
False Positive
Unknown
Vendors

Lokwa

Found a potential security threat?