WeBid <= 1.0.2 (includes/converter.inc.php) PHP Code Injection Vulnerability

Description:

WeBid contains a flaw which allows a remote attacker to inject and execute arbitrary PHP code. The issue is due to user-supplied input passed via the ‘from’ and ‘to’ POST parameters to converter.php is not properly sanitized before being stored in includes/currencies.php.

References:

• BID-48554
• EDB-17487
• http://www.webidsupport.com/forums/showthread.php?3892

Disclosure Date:

July 4, 2011