SelfComposer CMS html injection and remote SQL injection

2010.05.17
Credit: CoBRa_21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

*==== =={ Advisory 14/5/2010 } ======* *SQL injection vulnerability in SelfComposer CMS * *Vendor's Description of Software:* *# http://www.selfcomposer.it* *Dork:* *allinurl:"prodotti.asp?idpadrerif="* *Application Info:* *Name: *SelfComposer *Vulnerability Info:* *Type: *SQL injection Vulnerability *Risk: High* *Fix:* *N/A* *Time Table:* *06/05/2010 - Vendor notified.* *Additional Info:* All the input passed via "idprod", "idpadrerif", "idreferenza", "idpadrerifIstituzionali" is not properly sanitised before being used in a sql query. *Solution:* Input validation of "idprod", "idpadrerif", "idreferenza", "idpadrerifIstituzionali" parameters should be corrected. *Vulnerability:* # http://[site]/scheda.asp?idprod=[SQLi]&idpadrerif=[SQLi] # http://[site]/schedaistituzionale.asp?idreferenza=[SQLi]&idpadrerifIstituzionali=[SQLi] *Credit:* Discoverd By: Locu Website: http://xlocux.wordpress.com Contacts: xlocux[-at-]gmail.com *============ {EOF} =============*


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top