lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Apr 2010 21:00:10 +0300
From: Henri Salo <henri@...v.fi>
To: Владимир Воронцов
	<vladimir.vorontsov@...ec.ru>, full-disclosure@...ts.grok.org.uk
Subject: Re: Amiro.CMS <= 5.4.4 SQL inj

On Thu, 22 Apr 2010 21:20:26 +0400
Владимир Воронцов <vladimir.vorontsov@...ec.ru> wrote:

> No.
> 
> On Thu, 22 Apr 2010 18:35:48 +0300, Henri Salo <henri@...v.fi> wrote:
> > On Thu, 22 Apr 2010 09:52:26 +0400
> > Владимир Воронцов <vladimir.vorontsov@...ec.ru> wrote:
> > 
> >> In the system of site management Amiro.CMS found a critical
> >> vulnerability introduction operators database. The vulnerability
> >> allows an attacker, in particular, to compromise a target system,
> >> gain administrative access.
> >> 
> >> Vulnerability has been discovered introduction of operators
> >> database at user registration. An attacker can fill in the
> >> "signature in the forum" with special data and affect the
> >> structure of the query to the DBMS. Information about the request
> >> not be displayed on the screen, thus possibly
> >> 
> >> conduct "blind" injections in order to obtain data or injections in
> >> order to displace the data. Injection takes place in the operator
> >> database INSERT. Further details were not disclosed at the request
> >> of the developer.
> >> 
> >> Original at Russian: http://onsec.ru/vuln?id=20
> > 
> > Have you requested CVE-identifier for this?
> > 
> > ---
> > Henri Salo
> 

Please do: http://cve.mitre.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ