PT-2005-4015 · Utopia · Utopia News Pro

Retrogod

Published

2005-10-14

Updated

2017-07-11

CVE-2005-3201

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Utopia News Pro (UNP) version 1.1.3

Description The issue allows remote attackers to execute arbitrary SQL commands due to a SQL injection vulnerability in the news.php file. This occurs when magic quotes gpc is disabled and register globals is enabled, specifically through the newsid parameter in the API endpoint "/news.php".

Recommendations For Utopia News Pro (UNP) version 1.1.3, consider disabling the newsid parameter in the news.php file until a patch is available, or ensure that magic quotes gpc is enabled and register globals is disabled to mitigate the risk of SQL injection attacks.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-3201

Affected Products

Utopia News Pro

PT-2005-4015 · Utopia · Utopia News Pro

CVE-2005-3201

Related Identifiers

Affected Products

References · 11