ATutor SQL Injection Vulnerabilities - Advisories

ATutor SQL Injection Vulnerabilities

Secunia Advisory:	SA21308
Release Date:	2006-08-01
Last Update:	2006-08-08

Critical:	Moderately critical
Impact:	Manipulation of data
Where:	From remote
Solution Status:	Vendor Patch

Software:	ATutor 1.x

CVE reference:	CVE-2006-3996 (Secunia mirror)

	Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS!

Description: rgod has reported two vulnerabilities in ATutor, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "desc" and "asc" parameters in links/index.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been reported in version 1.5.3.1. Other versions may also be affected. Solution: Update to version 1.5.3.2. http://www.atutor.ca/atutor/download.php Provided and/or discovered by: rgod Changelog: 2006-08-03: Updated "Solution" section. 2006-08-07: Added new link. 2006-08-08: Added CVE reference. Original Advisory: http://retrogod.altervista.org/atutor_1531_sql.html



Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

8 Related Secunia Security Advisories

1. ATutor "type" File Inclusion Vulnerability

Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.

Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Most Popular Advisories

1.	dotProject SQL Injection and Cross-Site Scripting

2.	Novell eDirectory Multiple Vulnerabilities

3.	phpMyRealty "price_max" SQL Injection Vulnerability

4.	HP TCP/IP Services for OpenVMS Finger Format String Vulnerability

5.	Blogn Cross-Site Scripting and Cross-Site Request Forgery

6.	phpBB BBcode Script Insertion Vulnerability

7.	Adium MSN SLP Message Integer Overflow Vulnerabilities

8.	Caudium "configvar" Insecure Temporary Files

9.	IBM WebSphere Application Server for z/OS HTTP Server mod_proxy_ftp Vulnerability

10.	Sun Solaris Kernel Covert Channel Security Bypass