Full Disclosure mailing list archives
SQL injection vulnerability in Amelia CMS
From: Maciej Gojny <vuln () ariko-security com>
Date: Fri, 19 Feb 2010 14:14:54 +0100
# Title: [SQL injection vulnerability in Amelia CMS] # Date: [10.02.2010] # Author: [Ariko-Security] # Software Link: [http://www.ameliadesign.eu/] # Version: [ALL] # Tested on: [freebsd / ubuntu] ============ { Ariko-Security - Advisory #3/2/2010 } ============= SQL injection vulnerability in Amelia CMS Vendor's Description of Software: # http://www.ameliadesign.eu/index.php?page=1322&lang=eng&cnt=services Dork: # N/A Application Info: # Name: Amelia CMS # Versions: ALL Vulnerability Info: # Type: SQL injection Vulnerability # Risk: High Fix: # N/A Time Table # 10/02/2009 - Vendor notified. Input passed via the "page" parameter to index.php is not properly sanitised before being used in a SQL query and it is possible to get sensitive information using for example Time-Base Blind SQL Injection attacks. Solution: # Input validation of "page" parameter should be corrected. Vulnerability: # http://www.[site]/index.php?page=1322[SQLi]&lang=eng&cnt=services Credit: # Discoverd By: MG # Website: http://Ariko-security.com Advisory: #http://www.ariko-security.com/feb2010/ad453.html # Contacts: support[-at-]ariko-security.com Ariko-Security vuln () ariko-security com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SQL injection vulnerability in Amelia CMS Maciej Gojny (Feb 19)