SQL injection vulnerability in WebAdministrator Lite CMS - 1 March 2010

Home » 2010 » March » 1 » SQL injection vulnerability in WebAdministrator Lite CMS

10.56.28 SQL injection vulnerability in WebAdministrator Lite CMS
# Title: [SQL injection vulnerability in WebAdministrator Lite CMS] # Date: [25.02.2010] # Author: [Ariko-Security] # Software Link: [http://jskinternet.pl/] # Version: [Lite] ============ { Ariko-Security - Advisory #5/2/2010 } ============= SQL injection vulnerability in WebAdministrator Lite CMS Vendor's Description of Software: # http://jskinternet.pl/portal/jsk/3/Oferta.html Dork: # webadministrator lite Application Info: # Name: WebAdministrator Lite CMS # Versions: LITE Vulnerability Info: # Type: SQL injection Vulnerability # Risk: medium Fix: # N/A Time Table: # 25/02/2010 - Vendor notified. # 25/02/2010 - Vendor response "we will not release FIX for LITE, soon new version".... Input passed via the "s" parameter to download.php is not properly sanitised before being used in a SQL query. Solution: # Input validation of "s" parameter should be corrected. Vulnerability: # http://[site]/download.php?s=[ SQLi]&id=2324 Credit: # Discoverd By: MG # Website: http://Ariko-security.com # Contacts: support[-at-]ariko-security.com Ariko-Security Maciej Gojny vuln@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)
1 2 3 4 5 Views: 1067 \| Added by: b1zz4rd \| Rating: 0.0/0

Login:
Password: