Natychmiast CMS Cross Site Scripting / SQL Injection

🗓️ 05 Mar 2010 00:00:00Reported by Ariko-SecurityType

packetstorm🔗 packetstormsecurity.com👁 22 Views

SQL injection and XSS vulnerability in Natychmiast CMS, discovered by Ariko-Securit

`# Title: [SQL injection vulnerability in Natychmiast CMS]  
# Date: [03.03.2010]  
# Author: [Ariko-Security]  
# Software Link: [http://www.natychmiast-cms.pl/]  
# Version: [ALL]  
  
  
============ { Ariko-Security - Advisory #2/3/2010 } =============  
  
SQL injection and XSS vulnerability in NATYCHMIAST CMS   
  
  
  
Vendor's Description of Software:  
# http://www.natychmiast-cms.pl/Natychmiast+CMS.html [Polish]  
  
Dork:  
# N/A  
  
Application Info:  
# Name: NATYCHMIAST CMS  
Vulnerability Info:  
# Type: SQL injection and XSS Vulnerability  
# Risk: medium  
  
Fix:   
# N/A  
  
Time Table:  
# 03/03/2010 - Vendor notified.  
  
Input passed via the "id_str" parameter to index.php and a_index.php is not properly sanitised before being used in a SQL query.  
  
Solution:  
# Input validation of "id_str" parameter should be corrected.  
  
  
Vulnerabilities:  
# http://[site]/index.php?id_str=[SQLi]   
# http://[site]/a_index.php?id_str=[SQLi]  
# XSS index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E  
# XSS a_index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E  
  
  
Credit:  
# Discoverd By: MG  
# Website: http://www.ariko-security.com/mar2010/ad519.html  
# Contacts: support[-at-]ariko-security.com  
  
  
Ariko-Security  
Maciej Gojny  
[email protected]  
tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)  
  
  
  
`

05 Mar 2010 00:00Current

0.5Low risk

Vulners AI Score0.5