`
SQL-injections in koobi-cms 4.2.3
_____________________________________________________________
The program: koobi-cms
Homepage: http://www.dream4.de/
Vulnerable Versions: 4.2.3
Has found: CENSORED [SVT] 28.04.05
_____________________________________________________________
The description
---------------
Vulnerability has been found in parameter page. In koobi-cms it
Refers to - p. Data transferred to this parameter not
Are filtered. Owing to it it is possible to make SQL-injections.
As at substitution of a symbol ', probably to define
House dir a server.
Still the mistake exists in parameter q. It is used for
Search on a site.
Examples
--------
http://127.0.0.1/index.php?p='[SQL code]
http://127.0.0.1/index.php?area=1&p='[SQL code]
http://127.0.0.1/index.php?q='[SQL code]
The conclusion
--------------
Vulnerability is found out in version 4.2.3, on other versions
Research did not spend. Probably they too are vulnerable.
-------------------------------------------------------------
CENSORED Search Vulnerabilities Team
www.security-tmp.net.ru
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation