Signature Detail
Short Name |
HTTP:PHP:LOKWABB-PRIVM |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
HTTP |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: LokwaBB Private Message Disclosure (1)
This signature detects attempts to exploit a known vulnerability in the LokwaBB Web application, a Web bulletin board based on php and mysql. Versions 1.2.2 and prior are vulnerable. Attackers can retrieve private messages not addressed to them.
Extended Description
Lokwa BB is a freely available message board forum. Versions of Lokwa are subject to SQL injection attacks. Lokwa BB does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in an SQL query. As a result, attackers may be able to modify SQL queries performed by the application. The disclosure of sensitive information may be possible. Under some circumstances, reports indicate that it may be possible to access and reply to arbitrary private messages. This issue has been reported in the 'member.php', 'misc.php' and 'pm.php' scripts.
Affected Products
- Lokwa Lokwa BB 1.2.1
References
- BugTraq: 4981
- URL: http://online.securityfocus.com/archive/1/276032
- URL: http://lokwa.farcom.com/