A SQL injection vulnerability exists in DZcms v.3.1, a content management system developed by CyDezines. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. The vulnerability is triggered when an attacker sends a maliciously crafted HTTP request to the vulnerable application. The Google Dork “Powered by DZcms” can be used to identify vulnerable websites. A proof-of-concept (POC) is available at http://www.demo.com/products.php?pcat=1'+union+select+all+convert(group_concat(username,0x3a,password)%20using%20latin1),2,3,4,5+from+users/* and a demo is available at http://www.psgdynamicsystems.com/products.php?pcat=1'+union+select+all+convert(group_concat(username,0x3a,password)%20using%20latin1),2,3,4,5+from+users/*. The vulnerability was discovered by Glafkos Charalambous and was published on milw0rm.com on January 11, 2009.