lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 27 Apr 2005 20:25:18 -0000
From: CENSORED <censored@...l.ru>
To: bugtraq@...urityfocus.com
Subject: SQL-injections in koobi-cms




 SQL-injections in koobi-cms 4.2.3 
_____________________________________________________________ 
The program: koobi-cms 
Homepage: http://www.dream4.de/ 
Vulnerable Versions: 4.2.3 
Has found: CENSORED [SVT] 28.04.05 
_____________________________________________________________ 


The description 
--------------- 

Vulnerability has been found in parameter page. In koobi-cms it 
Refers to - p. Data transferred to this parameter not 
Are filtered. Owing to it it is possible to make SQL-injections. 
As at substitution of a symbol ', probably to define 
House dir a server. 

Still the mistake exists in parameter q. It is used for 
Search on a site.

Examples 
--------

http://127.0.0.1/index.php?p='[SQL code] 
http://127.0.0.1/index.php?area=1&p='[SQL code] 
http://127.0.0.1/index.php?q='[SQL code] 


The conclusion 
-------------- 

Vulnerability is found out in version 4.2.3, on other versions 
Research did not spend. Probably they too are vulnerable. 
------------------------------------------------------------- 

CENSORED  Search Vulnerabilities Team 
www.security-tmp.net.ru 



Powered by blists - more mailing lists