Home / os / winme

Natychmiast CMS Cross Site Scripting / SQL Injection Vulnera

Posted on 05 March 2010

==================================================================
Natychmiast CMS Cross Site Scripting / SQL Injection Vulnerability
==================================================================

       SQL injection and XSS vulnerability in NATYCHMIAST CMS 



Vendor's Description of Software:
# http://www.natychmiast-cms.pl/Natychmiast+CMS.html [Polish]

Dork:
# N/A

Application Info:
# Name: NATYCHMIAST CMS
Vulnerability Info:
# Type: SQL injection and XSS Vulnerability
# Risk: medium

Fix: 
# N/A

Time Table:
# 03/03/2010 - Vendor notified.

Input passed via the "id_str" parameter to index.php and a_index.php is not properly sanitised before being used in a SQL query.

Solution:
# Input validation of "id_str" parameter should be corrected.


Vulnerabilities:
# http://[site]/index.php?id_str=[SQLi] 
# http://[site]/a_index.php?id_str=[SQLi]
# XSS index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E
# XSS a_index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E



# ~  - [ [ : Inj3ct0r : ] ]

 

TOP

Malware :

Exploits :