[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
- To: Владимир Воронцов <vladimir.vorontsov@xxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
- From: Henri Salo <henri@xxxxxxx>
- Date: Thu, 22 Apr 2010 21:00:10 +0300
On Thu, 22 Apr 2010 21:20:26 +0400
Владимир Воронцов <vladimir.vorontsov@xxxxxxxx> wrote:
> No.
>
> On Thu, 22 Apr 2010 18:35:48 +0300, Henri Salo <henri@xxxxxxx> wrote:
> > On Thu, 22 Apr 2010 09:52:26 +0400
> > Владимир Воронцов <vladimir.vorontsov@xxxxxxxx> wrote:
> >
> >> In the system of site management Amiro.CMS found a critical
> >> vulnerability introduction operators database. The vulnerability
> >> allows an attacker, in particular, to compromise a target system,
> >> gain administrative access.
> >>
> >> Vulnerability has been discovered introduction of operators
> >> database at user registration. An attacker can fill in the
> >> "signature in the forum" with special data and affect the
> >> structure of the query to the DBMS. Information about the request
> >> not be displayed on the screen, thus possibly
> >>
> >> conduct "blind" injections in order to obtain data or injections in
> >> order to displace the data. Injection takes place in the operator
> >> database INSERT. Further details were not disclosed at the request
> >> of the developer.
> >>
> >> Original at Russian: http://onsec.ru/vuln?id=20
> >
> > Have you requested CVE-identifier for this?
> >
> > ---
> > Henri Salo
>
Please do: http://cve.mitre.org/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/