# Title: XSS, SQL injection vulnerability in WmsCMS # EDB-ID: # CVE: () # OSVDB-ID: () # Author: Ariko-Security # Published: 2010-06-05 ============ { Ariko-Security - Advisory #1/6/2010 } ============= XSS, SQL injection vulnerability in WMSCMS 2007 Secunia Advisory SA25583 (only XSS 3 params) Vendor's Description of Software: # http://www.wmsdesign.net Demo # http://wmscms.com Dork: # n/a Application Info: # Name: WMSCMS # ALL versions Vulnerability Info: # Type: XSS # Type: SQL injection Vulnerability Fix: # N/A Time Table: # 10/05/2010 - Vendor notified. Input passed via the "search","sbr","pid","sbl","FilePath" parameters to default.asp is not properly sanitised before being used in a SQL query. Input passed via the "sbr","pr","psPrice" parameters to printpage.asp is not properly sanitised before being used in a SQL query. Input passed to the "search","sbr","p","sbl" parameters in default.asp is not properly sanitised before being returned to the user. Solution: # Input validation of all mentioned parameters should be corrected. Vulnerability: SQLi & BSQLi # http://wmscms.com/default.asp (Parameter search) # http://wmscms.com/default.asp (Parameter sbr) # http://wmscms.com/default.asp (Parameter pid) # http://wmscms.com/default.asp (Parameter sbl) # http://wmscms.com/default.asp (Parameter FilePath) # http://wmscms.com/printpage.asp (Parameter sbr) # http://wmscms.com/printpage.asp (Parameter pr) # http://wmscms.com/printpage.asp (Parameter psPrice) xss # http://wmscms.com/default.asp (Parameter = search) # http://wmscms.com/default.asp (Parameter = sbr) # http://wmscms.com/default.asp (Parameter = p) # http://wmscms.com/default.asp (Parameter = sbl) Credit: # Discoverd By: MG / Ariko-Security 2010 # http://secunia.com/advisories/25583/ (XSS 3 params) Advisory: # http://www.ariko-security.com/june2010/audyt_bezpieczenstwa_692.html Ariko-Security support@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)