Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows remote attackers to execute arbitrary SQL commands via doubly hex-encoded characters such as "%2527", which is translated to "'", as demonstrated using the phorum_uriauth parameter to list.php.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Phorum Phorum_URIAuth远程SQL注入漏洞
Vulnerability Description
Phorum是一款基于WEB的论坛程序。 Phorum没有充分过滤用户提交的输入,远程攻击者利用这个漏洞进行SQL注如入攻击,可获得敏感信息或破坏数据库。 由于Phorum包含的脚本'include/userlogin.php'对'$user'参数缺少充分过滤,虽然程序使用了"Magic quotes",但$phorum_uriauth使用"%2527"参数,后续的urldecode()操作就会解析成"'",因此提交恶意SQL命令给参数,可绕过原有数据库逻辑,获得敏感信息或者可以更改数据库操作。
CVSS Information
N/A
Vulnerability Type
N/A