Security Advisory: SMBCMS v2.1 SQL injection. - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)
  XSS in PBLang 4.65 Profile.php/UCP.php
  [SA17706] PHP-Post Cross-Site Scripting and Script Insertion Vulnerabilities
  [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities
  [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability

From: r0t <krustevs_(at)_googlemail.com>
Date: 25.11.2005
Subject: SMBCMS v2.1 SQL injection.

SMBCMS v2.1 SQL injection.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Orginal advisory:http://pridels.blogspot.com/2005/11/smbcms-v21-sql-injection.html
Vendor:www.smbcms.com
affected vesion: v2.1

Vuln. Description:
SMBCMS search engine contains a flaw that may allow an attacker to
carry out an SQL injection attack. The issue is due to the search
feature not properly sanitizing user-supplied input.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.