Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21134
HistoryJan 13, 2009 - 12:00 a.m.

Visuplay CMS SQL injection vulnerability

2009-01-1300:00:00
vulners.com
19
JSON

http://www.visuplay.com

Visuplay is a web dev company that offers a CMS that goes with its websites that helps it be managed (after all, that Is what a cms does right?)

Anywho, you can add your own sql code to various query areas through out the CMS like news_article.php and content_page.php. Here's an example that seems to work:
http://www.example.com/html/news_article.php?press_id=1;DROP%20table%20news;--&nav_id=7

As stated in the URL, this will drop the news table, but other stuff can be done no doubt. They even run the CMS on their own site, so I wouldn't be surprised if it were vulnerable as well.

I emailed the devs, and am awaiting a response. Happy hacking!

JSON