WebAdministrator Lite CMS – SQL Injection

• Exploit Database
• 13 阅读

• 作者： Ariko-Security
  日期： 2010-02-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11579/

• ============ { Ariko-Security - Advisory #5/2/2010 } =============
  
   SQL injection vulnerability in WebAdministrator Lite CMS 
  
  
  Vendor's Description of Software:
  # http://jskinternet.pl/portal/jsk/3/Oferta.html
  
  Dork:
  # webadministrator lite
  
  Application Info:
  # Name: WebAdministrator Lite CMS
  # Versions: LITE
  
  Vulnerability Info:
  # Type: SQL injection Vulnerability
  # Risk: medium
  
  Fix: 
  # N/A
  
  Time Table:
  # 25/02/2010 - Vendor notified.
  # 25/02/2010 - Vendor response "we will not release FIX for LITE, soon 
  
  new version"....
  
  
  Input passed via the "s" parameter to download.php is not properly 
  
  sanitised before being used in a SQL query.
  
  Solution:
  # Input validation of "s" parameter should be corrected.
  
  
  Vulnerability:
  # http://[site]/download.php?s=[SQLi]&id=2324 
  
  Credit:
  # Discoverd By: MG
  # Website: http://Ariko-security.com
  # Contacts: support[-at-]ariko-security.com
  
  
  Ariko-Security
  Maciej Gojny
  vuln@ariko-security.com
  tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)