SmartCMS v.2 SQL injection vulnerability

2010-05-05T00:00:00
ID SECURITYVULNS:DOC:23761
Type securityvulns
Reporter Securityvulns
Modified 2010-05-05T00:00:00

Description

============ { Ariko-Security - Advisory #1/5/2010 } =============

   SQL injection vulnerability in SmartCMS v.2

Vendor's Description of Software:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

Dork:

n/a

Application Info:

Name: SmartCMS

Versions: V.2

Vulnerability Info:

Type: SQL injection Vulnerability

Risk: medium

Fix:

N/A

Time Table:

22/04/2010 - Vendor notified.

Input passed via the "pageid" ,"lang" parameters to index.php is not

properly sanitised before being used in a SQL query.

Solution:

Input validation of "pageid","lang" parameters should be corrected.

Vulnerability:

http://[site]/index.php?pageid=[SQLi]&lang=[SQLi]

Credit:

Discoverd By: MG

Advisory:

http://www.ariko-security.com/apr2010/audyt_bezpieczenstwa_652.html

Website: http://Ariko-security.com

Contacts: support[-at-]ariko-security.com

Ariko-Security Maciej Gojny vuln@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)