Full Disclosure mailing list archives
Re: Amiro.CMS <= 5.4.4 SQL inj
From: Henri Salo <henri () nerv fi>
Date: Thu, 22 Apr 2010 21:00:10 +0300
On Thu, 22 Apr 2010 21:20:26 +0400 Владимир Воронцов <vladimir.vorontsov () onsec ru> wrote:
No. On Thu, 22 Apr 2010 18:35:48 +0300, Henri Salo <henri () nerv fi> wrote:On Thu, 22 Apr 2010 09:52:26 +0400 Владимир Воронцов <vladimir.vorontsov () onsec ru> wrote:In the system of site management Amiro.CMS found a critical vulnerability introduction operators database. The vulnerability allows an attacker, in particular, to compromise a target system, gain administrative access. Vulnerability has been discovered introduction of operators database at user registration. An attacker can fill in the "signature in the forum" with special data and affect the structure of the query to the DBMS. Information about the request not be displayed on the screen, thus possibly conduct "blind" injections in order to obtain data or injections in order to displace the data. Injection takes place in the operator database INSERT. Further details were not disclosed at the request of the developer. Original at Russian: http://onsec.ru/vuln?id=20Have you requested CVE-identifier for this? --- Henri Salo
Please do: http://cve.mitre.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Amiro.CMS <= 5.4.4 SQL inj Владимир Воронцов (Apr 21)
- Re: Amiro.CMS <= 5.4.4 SQL inj Henri Salo (Apr 22)
- Message not available
- Re: Amiro.CMS <= 5.4.4 SQL inj Henri Salo (Apr 22)
- Message not available
- Re: Amiro.CMS <= 5.4.4 SQL inj Henri Salo (Apr 22)