Web application abuses : Etomite CMS id Parameter SQL Injection

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.80057

Categoría: Web application abuses

Título: Etomite CMS id Parameter SQL Injection

Resumen: The remote web server contains a PHP script that is affected by a SQL; injection vulnerability.;; Description:;; The remote web server is running Etomite CMS, a PHP-based content; management system.;; The version of Etomite CMS installed on the remote host fails to; sanitize input to the 'id' parameter before using it in the; 'index.php' script in a database query.

Descripción: Summary:
The remote web server contains a PHP script that is affected by a SQL
injection vulnerability.

Description:

The remote web server is running Etomite CMS, a PHP-based content
management system.

The version of Etomite CMS installed on the remote host fails to
sanitize input to the 'id' parameter before using it in the
'index.php' script in a database query.

Vulnerability Impact:
Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated
attacker can exploit this issue to manipulate SQL queries, possibly leading to disclosure of sensitive data,
attacks against the underlying database, and the like.

Solution:
No known solution was made available for at least one year since the
disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to
upgrade to a newer release, disable respective features, remove the product or replace the product by
another one.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2006-6048
BugTraq ID: 21135
http://www.securityfocus.com/bid/21135
Bugtraq: 20061116 Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local file inclusion ) (Google Search)
http://www.securityfocus.com/archive/1/451838/100/0/threaded
Bugtraq: 20061117 Re: Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local file inclusion ) (Google Search)
http://www.securityfocus.com/archive/1/451930/100/0/threaded
http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl
http://www.etomite.org/forums/index.php?showtopic=6388
http://secunia.com/advisories/22885
http://www.vupen.com/english/advisories/2006/4558
XForce ISS Database: etomite-index-sql-injection(30328)
https://exchange.xforce.ibmcloud.com/vulnerabilities/30328

Copyright Copyright (C) 2008 Justin Seitz

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.80057
Categoría:	Web application abuses
Título:	Etomite CMS id Parameter SQL Injection
Resumen:	The remote web server contains a PHP script that is affected by a SQL; injection vulnerability.;; Description:;; The remote web server is running Etomite CMS, a PHP-based content; management system.;; The version of Etomite CMS installed on the remote host fails to; sanitize input to the 'id' parameter before using it in the; 'index.php' script in a database query.
Descripción:	Summary: The remote web server contains a PHP script that is affected by a SQL injection vulnerability. Description: The remote web server is running Etomite CMS, a PHP-based content management system. The version of Etomite CMS installed on the remote host fails to sanitize input to the 'id' parameter before using it in the 'index.php' script in a database query. Vulnerability Impact: Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can exploit this issue to manipulate SQL queries, possibly leading to disclosure of sensitive data, attacks against the underlying database, and the like. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2006-6048 BugTraq ID: 21135 http://www.securityfocus.com/bid/21135 Bugtraq: 20061116 Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local file inclusion ) (Google Search) http://www.securityfocus.com/archive/1/451838/100/0/threaded Bugtraq: 20061117 Re: Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local file inclusion ) (Google Search) http://www.securityfocus.com/archive/1/451930/100/0/threaded http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl http://www.etomite.org/forums/index.php?showtopic=6388 http://secunia.com/advisories/22885 http://www.vupen.com/english/advisories/2006/4558 XForce ISS Database: etomite-index-sql-injection(30328) https://exchange.xforce.ibmcloud.com/vulnerabilities/30328
Copyright	Copyright (C) 2008 Justin Seitz