Unobtrusive Ajax Star Rating Bar Multiple Issues

Product:
Unobtrusive Ajax Star Rating Bar

Released:
07/09/2007

Description:
The Unobtrusive Ajax Star Rating Bar contains SQL injections in the db.php and rpc.php scripts, CRLF injection to the db.php script, and
XSS to the rpc.php script.

Technical Description:
SQL Injection: rpc.php q and t variables
SQL Injection: db.php q and t variables
CRLF Injection: db.php HTTP_REFERER variable
XSS: rpc.php q variable

Fix/Workaround:
Upgrade to Unobtrusive Ajax Star Rating Bar version 1.2.0 or higher.

Vendor Status:
Vendor was notified and responded promptly, and resolved the issues in two days.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-35933 Unobtrusive Ajax Star Rating Bar db.php Multiple SQL Injection
OSVDB-35934 Unobtrusive Ajax Star Rating Bar rpc.php Multiple SQL Injection
OSVDB-35935 Unobtrusive Ajax Star Rating Bar rpc.php q Variable XSS
OSVDB-35936 Unobtrusive Ajax Star Rating Bar db.php HTTP_REFERER CRLF Injection
Vulnerabilities: