Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17338
HistoryJun 25, 2007 - 12:00 a.m.

[Full-disclosure] Papoo CMS 3.6 - SQL Injection

2007-06-2500:00:00
vulners.com
12
JSON

Papoo Content Management System Backend SQL Injection Jun 24 2007

  • Product

    Papoo Content Management System

  • Vulnerable Versions

    Papoo 3.6 and maybe prior

  • Vendor Status

    The Vendor was notified and the issue was fixed.
    A patch is available at http://www.papoo.de/index/menuid/204/reporeid/215

  • Details

    The Papoo Content Management System is prone to an SQL Injection that can be
    exploited by any user with access to the backend system and with privileges
    to modify the navigation menu.

    The application will get the read and publish privileges for every usergroup
    and for every menu item that is meant to be edited and specified by the
    `selmenuid' GET parameter. It fails to sanitize the value of the parameter.

  • Impact

    Attackers may be able to execute arbitrary SQL queries.

  • Exploit

    No exploit required.

Nico Leidecker - http://www.leidecker.info

Erweitern Sie FreeMail zu einem noch leistungsstarkeren E-Mail-Postfach!
Mehr Infos unter http://produkte.web.de/club/?mc=021131

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON