# Title: [XSS, SQL injection vulnerability in I-Vision CMS]# Date: [17.05.2010]# Author: [Ariko-Security]# Software Link: [http://international-vision.com/inner.php?id=14&type=2]# Version: [ALL]============{ Ariko-Security - Advisory #2/5/2010 } =============
XSS, SQL injection vulnerability in I-Vision CMS
Vendor's Description of Software:# http://international-vision.com/inner.php?id=14&type=2
Dork:# n/a
Application Info:# Name: I-Vision CMS# ALL versions
Vulnerability Info:# Type: XSS# Type: SQL injection Vulnerability# Risk: HIGH (BANK SYSTEMS)
Fix:# N/A
Time Table:# 02/05/2010 - Vendor notified.
Input passed via the "type" parameter to inner.php isnot properly
sanitised before being used in a SQL query.
Input passed to the "keys" parameter in search.php isnot properly
sanitised before being returned to the user.
Solution:# Input validation of type parameter should be corrected.# Input validation of keys parameter should be corrected.
Vulnerability:# http://[site]/inner.php?id=14&type=2[SQLi]# http://[site]/search.php?Value=0&pages=1&keys=[XSS]
Credit:# Discoverd By: MG / Ariko-Security#Advisory:
http://www.ariko-security.com/may2010/audyt_bezpieczenstwa_677.html
# Website: http://Ariko-security.com# Contacts: support[-at-]ariko-security.com
Ariko-Security
vuln@ariko-security.com
tel.:+48512946012(Mo-Fr 10.00-20.00 CET)
