CMS Mundo News Module news_id Variable SQL Injection

2006-07-13T09:49:04
ID OSVDB:27139
Type osvdb
Reporter Andreas Sandblad(as@secunia.com)
Modified 2006-07-13T09:49:04

Description

Vulnerability Description

CMS Mundo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'news_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

CMS Mundo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'news_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.hotwebscripts.com/index.php?mod=webshop&function= Secunia Advisory ID:20589 Related OSVDB ID: 27141 Related OSVDB ID: 27142 Related OSVDB ID: 27140 Related OSVDB ID: 27143 Other Advisory URL: http://secunia.com/secunia_research/2006-52/advisory/ ISS X-Force ID: 27712 FrSIRT Advisory: ADV-2006-2783 CVE-2006-3135