lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 27 Apr 2005 20:25:18 -0000 From: CENSORED <censored@...l.ru> To: bugtraq@...urityfocus.com Subject: SQL-injections in koobi-cms SQL-injections in koobi-cms 4.2.3 _____________________________________________________________ The program: koobi-cms Homepage: http://www.dream4.de/ Vulnerable Versions: 4.2.3 Has found: CENSORED [SVT] 28.04.05 _____________________________________________________________ The description --------------- Vulnerability has been found in parameter page. In koobi-cms it Refers to - p. Data transferred to this parameter not Are filtered. Owing to it it is possible to make SQL-injections. As at substitution of a symbol ', probably to define House dir a server. Still the mistake exists in parameter q. It is used for Search on a site. Examples -------- http://127.0.0.1/index.php?p='[SQL code] http://127.0.0.1/index.php?area=1&p='[SQL code] http://127.0.0.1/index.php?q='[SQL code] The conclusion -------------- Vulnerability is found out in version 4.2.3, on other versions Research did not spend. Probably they too are vulnerable. ------------------------------------------------------------- CENSORED Search Vulnerabilities Team www.security-tmp.net.ru
Powered by blists - more mailing lists