Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Amiro.CMS <= 5.4.4 SQL inj

From: Henri Salo <henri () nerv fi>
Date: Thu, 22 Apr 2010 21:00:10 +0300
On Thu, 22 Apr 2010 21:20:26 +0400
Владимир Воронцов <vladimir.vorontsov () onsec ru> wrote:


No.

On Thu, 22 Apr 2010 18:35:48 +0300, Henri Salo <henri () nerv fi> wrote:

On Thu, 22 Apr 2010 09:52:26 +0400
Владимир Воронцов <vladimir.vorontsov () onsec ru> wrote:


In the system of site management Amiro.CMS found a critical
vulnerability introduction operators database. The vulnerability
allows an attacker, in particular, to compromise a target system,
gain administrative access.

Vulnerability has been discovered introduction of operators
database at user registration. An attacker can fill in the
"signature in the forum" with special data and affect the
structure of the query to the DBMS. Information about the request
not be displayed on the screen, thus possibly

conduct "blind" injections in order to obtain data or injections in
order to displace the data. Injection takes place in the operator
database INSERT. Further details were not disclosed at the request
of the developer.

Original at Russian: http://onsec.ru/vuln?id=20


Have you requested CVE-identifier for this?

---
Henri Salo




Please do: http://cve.mitre.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: