製品・ソフトウェアに関する情報

JVN脆弱性詳細

PHP Address Book に SQL インジェクションの脆弱性

Title	PHP Address Book に SQL インジェクションの脆弱性
Summary	PHP Address Book には、SQL インジェクションの脆弱性が存在します。 PHP Address Book には、入力された値の処理に問題があり、SQL インジェクションの脆弱性が存在します。本脆弱性の影響を受ける関数については、Acadion Security Advisory (ACADION-VULN-2013001) をご確認ください。
Possible impacts	遠隔の第三者によって、任意の SQL コマンドを実行される可能性があります。
Solution	2013年4月8日現在、対策方法はありません。 [ワークアラウンドを実施する] 以下の回避策を適用することで、本脆弱性の影響を軽減することが可能です。　* アクセスを制限する
Publication Date	April 8, 2013, midnight
Registration Date	April 10, 2013, 12:40 p.m.
Last Update	April 10, 2013, 12:40 p.m.

Affected System

chatelao

PHP Address Book version 8.2.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-0135	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0135
National Vulnerability Database (NVD)
2	CVE-2013-0135	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0135

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
SourceForge
1	PHP Address Book - SourceForge.net	http://sourceforge.net/projects/php-addressbook/

その他

No	Name	URL
JVN
1	JVNVU#98376265	http://jvn.jp/cert/JVNVU98376265/
US-CERT Vulnerability Note
2	VU#183692	http://www.kb.cert.org/vuls/id/183692
関連文書
3	ACADION-VULN-2013001 - PHP Address Book 8.2.5	http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html

Change Log

No	Changed Details	Date of change
0	[2013年04月10日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-0135

Summary	Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
Publication Date	April 9, 2013, 12:34 p.m.
Registration Date	Jan. 26, 2021, 3:32 p.m.
Last Update	Nov. 21, 2024, 10:46 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:chatelao:php_address_book:8.2.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html	Exploit
2	http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html	Exploit
3	http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html	Exploit
4	http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html	Exploit
5	http://www.kb.cert.org/vuls/id/183692	Exploit US Government Resource
6	http://www.kb.cert.org/vuls/id/183692	Exploit US Government Resource
7	https://exchange.xforce.ibmcloud.com/vulnerabilities/99623
8	https://exchange.xforce.ibmcloud.com/vulnerabilities/99623

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html