Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24302
HistoryJul 23, 2010 - 12:00 a.m.

SQL Injection vulnerability in coWiki

2010-07-2300:00:00
vulners.com
12
JSON

Hello Bugtraq!

I want to warn you about security vulnerability in coWiki.

Earlier I already wrote about XSS vulnerability in coWiki -
SecurityVulns ID:8005 (http://securityvulns.ru/Rdocument692.html).

Advisory: SQL Injection vulnerability in coWiki

URL: http://websecurity.com.ua/3496/

Affected products: coWiki 0.3.4 and previous versions.

Timeline:

23.01.2009 - found vulnerability.
12.09.2009 - announced at my site. After which I informed developers (both
original developer and maintainer), but they didn't answer.
21.07.2010 - disclosed at my site.

Details:

This is SQL Injection vulnerability.

SQL Injection:

http://site/index.php?node=-1'%20or%20version()%3Eā€™5

Already when I informed developers in 2007 about XSS hole, they answered me
that they didn't support this engine any more. So users of this system must
fix this hole by themselves (as previous one).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON