High-Tech Bridge SA Security Research Lab has discovered vulnerability in TomatoCMS which could be exploited to execute arbitrary SQL commands in application`s database.
- SQL injection vulnerability in TomatoCMS
An input validation error exists in the “q” parameter in /news/search. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data.
Exploitation example:
http://host/news/search?q=sdf"+ANY_SQL_HERE
The same vulnerability was found by Secunia Research (CVE-2010-1994) in version 2.0.4, fixed according to vendor in 2.0.5, but reappeared in version 2.0.6. See Secunia advisory for details:
http://secunia.com/secunia_research/2010-56