by r0t,der4444,cembo,VietMafia

Sunday, November 27, 2005

SDMS 2.0 SQL inj. vuln.

Simple Document Management System SQL injection Vuln.

Vuln. dicovered by : r0t
Date: 27 nov. 2005
Vendor:http://sdms.cafuego.net/
affected version: 2.0-CVS and prior

Product Description:
SDMS uses PHP to provide you with a pretty interface to a MySQL server that allows you to store and retrieve documents and to share those doucments between users. In addition, the system uses ACL (Access Control Lists) to grant access rights to documents on a per-user basis. It allows you to distribute project documentation on a need-to-know basis, whilst keeping a central repository of documents that is accessible to all team members and easy to manage.



Vun. description:
Input passed to the "folder_id" parameter in "list.php" and "mid" parameter in "messages.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/list.php?folder_id=[SQL]
/messages.php?forum=1&action=view&mid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew