eoCMS 0.9.01 SQL injection vulnerability

2009-11-05 / 2009-11-06
Credit: Bkis
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

eoCMS SQL injection vulnerability 1. General information eoCMS is an open source code software which is used to develop Internet forum (http://eocms.com/). On October 15, 2009, Bkis Security detected a SQL injection vulnerability in some functions of eoCMS. This is a critical vulnerability which allows hacker to access the data in the database and execute unauthorized tasks. Bkis has informed the software developer team, and they have patched the vulnerability in the latest software version - eoCMS 0.9.02. Details : http://blog.bkis.com/?p=800 SVRT Advisory: Bkis-12-2009 Initial vendor notification : 11/25/09 Release Date: 11/05/09 Update Date: 11/05/09 Discovered by: Bkis Attack Type: SQL Injection Security Rating: Critical Affected Software: eCMS (version <= 0.9.01) 2. Technical Description SQL Injection occurs due to the software on Server can not strictly control the validity of variables transmitted from client before sending a query to the database. Hacker is able to take advantage of this vulnerability to insert malicious SQL code and then can manipulate all the data in the database. SQL Injection vulnerability is found in the page divide function of viewboard and viewtopic module. Though eoCMS is integrated with error control technology (including SQL Injection), this technology fails to thoroughly handle the errors. Thus, hacker is able to take advantage of the found vulnerability to gain any information from the database, including administrator's data. 3. Solution Rating this as a critical vulnerability, Bkis recommends all organizations and individuals using eoCMS immediately update the latest software version. --------------------------------------------- Bkis Internet Security (www.bkis.vn)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top