Accentis Content Resource Management System SQL Injection

2015-11-02T00:00:00
ID PACKETSTORM:134176
Type packetstorm
Reporter Chia Junyuan
Modified 2015-11-02T00:00:00

Description

                                        
                                            `Issue 1  
# Vulnerability type: SQL Injection  
# Vendor: http://www.accentis.com.au/  
# Product: Accentis Content Resource Management System  
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan  
# CVE ID: CVE-2015-3424  
  
# PROOF OF CONCEPT (SQLi)  
  
Accentis Content Resource Management System before October 2015 patch contains SQL Injection (SQLi) vulnerability which allows authenticated users to inject SQL statements via the following parameter.  
  
# VULNERABLE PARAMETER:  
- SIDX  
  
# SAMPLE PAYLOAD  
- '  
  
# TIMELINE  
- 15/04/2015: Vulnerability found  
- 09/07/2015: Vendor informed  
- 09/07/2015: Vendor responded and acknowledged  
- 28/10/2015: Vendor fixed the issue  
- 02/11/2015: Public disclosure  
`