netVigilance Security Advisory #42
Fa Name version 1.0 SQL Injection Vulnerability
is useful portal (CMS) for .name websites. You can have a simple portal
but useful one for you domain names and by useing this portal you can
show your complete information like photo, identification , projects and
history to the others.
Successful exploitation requires PHP magic_quotes_gpc set to Off on the
server. (default is magic_quotes_gpc = On)
Mitre CVE: CVE-2007-3652
NVD NIST: CVE-2007-3652
Fa Name is useful portal (CMS) for .name websites.
A security problem in the product allows attackers to commit SQL injection.
Release Date: June 30th 2008
CVSS Version 2 Metrics:
Access Vector: Network
Access Complexity: Medium
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Remediation Level: Workaround
Report Confidence: Uncorroborated
CVSS Version 2 Vectors:
Base Vector: �AV:N/AC:M/Au:N/C:P/I:P/A:P�
Temporal Vector: �E:F/RL:W/RC:UR�
CVSS Version 2 Scores:
Base Score: 6.8
Impact Subscore: 6.4
Exploitability Subscore: 6.8
Temporal Score: 5.8
SecureScout Testcase ID: TC 17972
Fa Name version 1.0
SQL injection allows malicious people to execute their own SQL scripts.
This could be exploited to obtain sensitive data, modify database
contents or acquire administrator�s privileges.
The Vendor has been notified on July 7th 2007, but did not respond.
In the php.ini file set magic_quotes_gpc = On.
http://[TARGET]/[FANAME-DIRECTORY]/class/page.php?id=-1' UNION SELECT
1,1,1,`name` FROM `portal`%23
Co-founder netVigilance, Inc