Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23358
HistoryMar 11, 2010 - 12:00 a.m.

SQL injection vulnerability in Natychmiast CMS

2010-03-1100:00:00
vulners.com
23
JSON

Title: [SQL injection vulnerability in Natychmiast CMS]

Date: [03.03.2010]

Author: [Ariko-Security]

Software Link: [http://www.natychmiast-cms.pl/]

Version: [ALL]

============ { Ariko-Security - Advisory #2/3/2010 } =============

   SQL injection and XSS vulnerability in NATYCHMIAST CMS

Vendor's Description of Software:

http://www.natychmiast-cms.pl/Natychmiast+CMS.html [Polish]

Dork:

N/A

Application Info:

Name: NATYCHMIAST CMS

Vulnerability Info:

Type: SQL injection and XSS Vulnerability

Risk: medium

Fix:

N/A

Time Table:

03/03/2010 - Vendor notified.

Input passed via the "id_str" parameter to index.php and a_index.php is not properly sanitised before
being used in a SQL query.

Solution:

Input validation of "id_str" parameter should be corrected.

Vulnerabilities:

http://[site]/index.php?id_str=[SQLi]

http://[site]/a_index.php?id_str=[SQLi]

XSS index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E

XSS a_index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E

Credit:

Discoverd By: MG

Website: http://www.ariko-security.com/mar2010/ad519.html

Contacts: support[-at-]ariko-security.com

Ariko-Security
Maciej Gojny
[email protected]
tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)

JSON