|
Description
|
|
Some vulnerabilities have been reported in webSPELL, which can be exploited by malicious people to conduct SQL injection attacks and bypass certain security restrictions.
1) Input passed via the "search" parameter to asearch.php (when "site" is set to "search" and "table", "column", "identifier", and "searchtemp" are set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "cwID" parameter to clanwars_details.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Certain input passed to contact.php is not properly sanitised before being used to construct an email message and can be exploited to inject arbitrary email addresses.
4) Certain input passed to shoutbox_content.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are reported in versions prior to 4.2.2a.
|
