WebAdministrator Lite CMS remote SQL injection

2010.02.28
Credit: Ariko-Security
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Title: [SQL injection vulnerability in WebAdministrator Lite CMS] # Date: [25.02.2010] # Author: [Ariko-Security] # Software Link: [http://jskinternet.pl/] # Version: [Lite] ============ { Ariko-Security - Advisory #5/2/2010 } ============= SQL injection vulnerability in WebAdministrator Lite CMS Vendor's Description of Software: # http://jskinternet.pl/portal/jsk/3/Oferta.html Dork: # webadministrator lite Application Info: # Name: WebAdministrator Lite CMS # Versions: LITE Vulnerability Info: # Type: SQL injection Vulnerability # Risk: medium Fix: # N/A Time Table: # 25/02/2010 - Vendor notified. # 25/02/2010 - Vendor response "we will not release FIX for LITE, soon new version".... Input passed via the "s" parameter to download.php is not properly sanitised before being used in a SQL query. Solution: # Input validation of "s" parameter should be corrected. Vulnerability: # http://[site]/download.php?s=[SQLi]&id=2324 Credit: # Discoverd By: MG # Website: http://Ariko-security.com # Contacts: support[-at-]ariko-security.com Ariko-Security Maciej Gojny vuln@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top