SQL Injection Vulnerability in Enano CMS

2010-11-16T00:00:00
ID HTB22709
Type htbridge
Reporter High-Tech Bridge
Modified 2010-11-16T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Enano CMS which could be exploited to execute arbitrary SQL commands in application`s database.

1) SQL injection vulnerability in Enano CMS: CVE-2010-4780
An input validation error exists in the way application handles users email address. A remote attacker can create an account with specially crafted email address and execute arbitrary SQL commands in applications database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in database.
Exploitation example:
Step1.
Register new user with email: "any@email.com'SQL_CODE"
Step2.
Log in with new login and password.