lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Jun 2009 19:56:49 +0100
From: SmOk3 <smok3f00@...il.com>
To: vuldb@...urityfocus.com, vuln@...unia.com,
	bugs@...uritytracker.com, bugtraq@...urityfocus.com
Subject: [DSF-02-2009] - Zoki Catalog SQL Injection

Ref. [DSF-02-2009] - Zoki Catalog SQL Injection
Vendor: Zoki Soft (www.zokisoft.com)
Status: Patched by vendor

Original advisory:
http://www.davidsopas.com/2009/06/15/zoki-catalog-sql-injection/


Zoki Catalog
Smart Catalog is unique and convenient software. It is designed for
many purposes whether you want to create blog, product catalog,
classifieds, events, jobs or many others. This software gives you
opportunity to create general categories and unlimited number of
subcategories, create static pages, upload images, rate and comment
listings. The Smart Catalog has SEO optimized URLs, RSS feeds and fast
indexed with major search engines.

Description
This PHP based catalog is vulnerable to SQL Injection on search form.
Injecting a quote mark will break the SQL query and even provide
sensitive database information that could help a malicious user to
complete and enter a valid SQL injection query.


Impact
A malicious user could manipulate SQL queries by injecting arbitrary
SQL code and return private information.


Time-line
June 3, 2009 - Reported to Zoki Soft
June 13, 2009 - Reply from vendor
June 15, 2009 - Vendor fixed it

Powered by blists - more mailing lists