Info

Disclosure

Apr 23, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

BK Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to each registration field in the register.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Black Knight Development

BK Forum

v.4

References

Security Tracker: 1013793
Secunia Advisory ID: 15072
Related OSVDB ID: 15784 15785 15786
CVE ID: 2005-1287 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0380.html
http://marc.theaimsgroup.com/?l=bugtraq&m=111428133317901&w=2
http://www.securityfocus.com/archive/1/archive/1/431659/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/431863/100/0/threaded
Vendor URL: http://www.bkdev.net/
Other Advisory URL: http://www.digitalparadox.org/advisories/bkdev.txt

Credit

Diabolic Crab - dcrabhackerscenter.com - Personal Page

Direct URL: http://osvdb.org/15786