Short Name |
HTTP:PHP:LOKWABB-PRIVM3 |
---|---|
Severity |
Minor |
Recommended |
No |
Category |
HTTP |
Keywords |
LokwaBB Private Message Disclosure (3) |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability in the LokwaBB Web application, a Web bulletin board based on PHP and MySQL. Versions 1.2.2 and prior are vulnerable. Attackers can retrieve private messages not addressed to them.
Lokwa BB is a freely available message board forum. Versions of Lokwa are subject to SQL injection attacks. Lokwa BB does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in an SQL query. As a result, attackers may be able to modify SQL queries performed by the application. The disclosure of sensitive information may be possible. Under some circumstances, reports indicate that it may be possible to access and reply to arbitrary private messages. This issue has been reported in the 'member.php', 'misc.php' and 'pm.php' scripts.