ADVISORY

Product:- php-addressbook v1.2 by WidgetMonkey

Vulnerability:-Sql Injection

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
"This is an address book program for people who have their own web space. At present it is does not have a multiple user function. I wrote it because I wanted a place where I could store all my addresses so I can access them from multiple locations, and its a handy backup if you lose your address book, and there weren`t any freeware programs that suited my needs".

DESCRIPTION:
The Vulnerability can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in "view.php" isn't properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.There are other parameters also where the input is not properly filtered and will result in sql injection.


SOLUTION:
Awaiting response from the vendor

Original Advisory: Here at http://axcesdenied.blogspot.com

Credit: $um$id
Aka
Access Denied