Info

Disclosure

Apr 15, 2008

Discovery

Unknown

Dates

Exploit

Apr 15, 2008

Solution

Unknown

Description

LASERnet CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'new' variable and that variable is assigned to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: No Solution
Exploit: Exploit Available
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

LASERnet.gr

LASERnet CMS

1.11

References

FrSIRT Advisory: FrSIRT/ADV-2008-1239
Bugtraq ID: 28804
Milw0rm: 5454
Secunia Advisory ID: 29734
CVE ID: 2008-1913 (see also: NVD)
Vendor URL: http://cms.lasernet.gr/index.php?lang=en

Credit

cO2 - c02Hotmail.de - Algeria Security Crew

Direct URL: http://osvdb.org/36218