[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041023153741.7995.qmail@www.securityfocus.com>
Date: 23 Oct 2004 15:37:41 -0000
From: Rene <l0om@...luded.org>
To: bugtraq@...urityfocus.com
Subject: dwc_articles possible sql injection
author: l0om
site: www.excluded.org
product: dwc_articles <= 1.6 (maybe other versions too)
problem: possible sql injection
Vendor site?
www.distinctwebcreations.com
note:its currently down.
Vendor status?
Didnt find an email address or phon number.
what is it?
Dwc_Articles is an ASP application designed to add Featured,
Recent and Popular News through an easy to use administration area.
Other features: Design Packages, Add, Modify, Deactive through HTML/Wysiwyg Editor,
Upload, Categories, Multiple Users and more.
Where is the problem?
Nearly all scripts suffer from possible sql injections.
This may lead an attacker to change websites content or even worse- log in
as an admin.
Workaround?
currently remove/rename the admin scripts might be a good idea.
iam sorry for no patch included, but i dont own the scripts.
Powered by blists - more mailing lists