eoCMS SQL injection vulnerability 1. General information eoCMS is an open source code software which is used to develop Internet forum (http://eocms.com/). On October 15, 2009, Bkis Security detected a SQL injection vulnerability in some functions of eoCMS. This is a critical vulnerability which allows hacker to access the data in the database and execute unauthorized tasks. Bkis has informed the software developer team, and they have patched the vulnerability in the latest software version - eoCMS 0.9.02. Details : http://blog.bkis.com/?p=800 SVRT Advisory: Bkis-12-2009 Initial vendor notification : 11/25/09 Release Date: 11/05/09 Update Date: 11/05/09 Discovered by: Bkis Attack Type: SQL Injection Security Rating: Critical Affected Software: eCMS (version <= 0.9.01) 2. Technical Description SQL Injection occurs due to the software on Server can not strictly control the validity of variables transmitted from client before sending a query to the database. Hacker is able to take advantage of this vulnerability to insert malicious SQL code and then can manipulate all the data in the database. SQL Injection vulnerability is found in the page divide function of viewboard and viewtopic module. Though eoCMS is integrated with error control technology (including SQL Injection), this technology fails to thoroughly handle the errors. Thus, hacker is able to take advantage of the found vulnerability to gain any information from the database, including administrator's data. 3. Solution Rating this as a critical vulnerability, Bkis recommends all organizations and individuals using eoCMS immediately update the latest software version. --------------------------------------------- Bkis Internet Security (www.bkis.vn)