Does this affect us?

TITLE:
phpWebSite SQL Injection Vulnerabilities

SECUNIA ADVISORY ID:
SA10878

VERIFY ADVISORY:
http://secunia.com/advisories/10878/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of system information, Exposure of
sensitive information

WHERE:
From remote

SOFTWARE:
phpWebSite 0.x

DESCRIPTION:
David Sopas Ferreira has identified some vulnerabilities in
phpWebSite, allowing malicious people to conduct SQL injection
attacks.

The problem is that user input passed to certain parameters in
"mod/announcements/index.php" and "mod/notes/index.php" isn't
properly verified before it is used in an SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in 0.9.x versions.

SOLUTION:
This has been fixed in the CVS repository.

PROVIDED AND/OR DISCOVERED BY:
David Sopas Ferreira

ORIGINAL ADVISORY:
http://www.systemsecure.org/advisories/ssadvisory13022004.php

um ok whut does this mean?

In laymans terms.

Theoretically it could mean our database could be penetrated and corrupted, if this actually affects the software we use.

hmm this bears investigation then.

[ QUOTE ]
Rhino said:
Theoretically it could mean our database could be penetrated and corrupted, if this actually affects the software we use.

[/ QUOTE ]

It doesn't. It's a problem in a specific software package, phpWebSite, which we don't use.

Cool. Do we use phpMyAdmin? There's an update out for it.

Nos is pretty knowledgeable about that stuff.

All it would take is to pull the latest package from the CVS repository and check it against existing PHP scripts for issues.

Most likely, it should not be a problem to upgrade/update.

-FT