Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH4fPACKETSTORM:95269
HistoryOct 28, 2010 - 12:00 a.m.

Pub-Me CMS Blind SQL Injection

2010-10-2800:00:00
H4f
packetstormsecurity.com
17
JSON
` _______ _____ ___  
| | | | |.' _|  
| |__ | _|  
|___|___| |__||__|   
  
Pub-Me CMS Blind SQL Injection Vulnerability  
  
Name: Pub-Me CMS  
Vendor: http://www.pub-me.com/  
Versions Affected: //unknown, all current affected - devel. homepage & 33 clients web pages  
Software Link: Not aviable, Demo can be requested by e-mail from vendor  
Found by: H4f, <Sec was born project, Anonymous submission>  
Contact: zotrob [at] gmail [dot] com  
Date: 2010-10-25  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
Pub-Me Content Managment System is designed to make it possible for you to pay full  
attention to the content without having to bother about technologies.  
  
II. DESCRIPTION  
_______________  
  
NOT properly sanitised form before being used  
in a SQL query.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
All Pub-Me based websites are vulnerable, any more/less trained monkey can reach admin panel.  
______________________  
  
  
IV. SAMPLE CODE  
_______________  
  
Blind SQL Injection  
  
Login> ' or 0=0 #  
Pass> ' or 0=0 #  
  
V. FIX  
______  
  
Vedor contacted, no reponse.  
  
`
JSON