|
||
| Editor Login | Register | ||
| > World > Security |
|
|
| Acidcat CMS Multiple Vulnerabilities | ||||||||||||||||||||||||
Description: AmnPardaz Security Research Team have reported some vulnerabilities and a security issue in Acidcat CMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, or to bypass certain security restrictions. 1) Input passed to the "cID" parameter in default.asp and the "username" parameter in main_login2.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary code. 2) A security issue is caused due to improper restricting access to default_mail_aspemail.asp. This can be exploited to send mails via the affected application. 3) Input passed to the "field" parameter in admin/admin_colors_swatch.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user"s browser session on context of an affected site. The vulnerabilities and the security issue are reported in version 3.4.1. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly sanitised. Restrict access to default_mail_aspemail.asp. Provided and/or discovered by: AmnPardaz Security Research Team Original Advisory: http://www.bugreport.ir/?/36 | ||||||||||||||||||||||||
|
| Bağlantılar: bilgininefendisi.net |
| Open Source Document Project | AUP&TOS |
