phpAdsNew Multiple Vulnerabilities - Website Hosting - VPS Hosting - Domain Registration Ireland :: Blacknight

niall · #1 (**permalink**) 17-08-05, 03:36 PM

Some vulnerabilities have been reported in phpAdsNew, which can be exploited by malicious people to disclose certain sensitive information, conduct SQL injection attacks, or compromise a vulnerable system.

1) A vulnerable version of XML-RPC for PHP was used.

2) Input passed to the "clientid" parameter in lib-view-direct.inc.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires MySQL 4.1+ or PostgreSQL.

3) Input passed to certain parameters isn't properly verified before being used to include files. This can be exploited to include arbitrary local files.

Solution:
Update to version 2.0.6.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
phpAdsNew XML-RPC PHP Code Execution Vulnerability	niall	Security Notices	0	01-07-05 10:05 AM
Drupal PHP Code Execution Vulnerabilities	niall	Security Notices	0	30-06-05 11:00 AM
Xoops Cross-Site Scripting and SQL Injection Vulnerabilities	niall	Security Notices	0	30-06-05 10:55 AM
Wordpress Multiple Vulnerabilities	niall	Security Notices	0	30-06-05 10:54 AM