On Tue, 16 Feb 2010 11:04:47 +0100 Maciej Gojny <[email protected]> wrote:
> # Exploit Title: [Pogodny CMS SQL injection] > # Date: [08.02.2010] > # Author: [Ariko-Security] > # Software Link: [http://www.cms.michalin.pl/moduly/pogodny/] > # Version: [ALL] > # Tested on: [freebsd / ubuntu] > > ============ { Ariko-Security - Advisory #2/2/2010 } ============= > > SQL injection vulnerability in Pogodny CMS > > > Vendor's Description of Software: > # http://www.cms.michalin.pl/moduly/pogodny/ (PL) > # vendor's DEMO http://www.cms.kr.media.pl/ > > Dork: > #pogodny CMS > > Application Info: > # Name: pogodny CMS > # Versions: ALL > > Vulnerability Info: > # Type: SQL injection Vulnerability > # Risk: High > > Fix: > # N/A Vendor notified 08.02.2010 > > It was found that "pogodny CMS" does not validate properly the "id" > parameter value. > > Solution: > # Input validation of "id" parameter should be corrected. > > > Vulnerability: > # http://[HOST]/?modul=niusy&id=61[Sqli] > > Credit: > # Discoverd By: MG > # Website: http://Ariko-security.com > > Ariko-Security > [email protected] > tel.: +48512946012 (Mo-Fr 10.00-20.00 CET) Is there a CVE assigned for this issue? --- Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
