[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj

To: Владимир Воронцов <vladimir.vorontsov@xxxxxxxx>
Subject: Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
From: Henri Salo <henri@xxxxxxx>
Date: Thu, 22 Apr 2010 18:35:48 +0300

On Thu, 22 Apr 2010 09:52:26 +0400
Владимир Воронцов <vladimir.vorontsov@xxxxxxxx> wrote:

> In the system of site management Amiro.CMS found a critical
> vulnerability introduction operators database. The vulnerability
> allows an attacker, in particular, to compromise a target system,
> gain administrative access.
> 
> Vulnerability has been discovered introduction of operators database
> at user registration. An attacker can fill in the "signature in the
> forum" with special data and affect the structure of the query to the
> DBMS. Information about the request not be displayed on the screen,
> thus possibly
> 
> conduct "blind" injections in order to obtain data or injections in
> order to displace the data. Injection takes place in the operator
> database INSERT. Further details were not disclosed at the request of
> the developer.
> 
> Original at Russian: http://onsec.ru/vuln?id=20

Have you requested CVE-identifier for this?

---
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
  - From: Владимир Воронцов

Prev by Date: [Full-disclosure] [Announcement] Introducing SecurityTube Tools section!
Next by Date: Re: [Full-disclosure] [Announcement] Introducing SecurityTube Toolssection!
Previous by thread: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
Next by thread: Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
Index(es):
- Date
- Thread