SQL injection vulnerability in WebAdministrator Lite CMS

vendor:

WebAdministrator Lite CMS

by:

5,5

CVSS

MEDIUM

SQL injection Vulnerability

CWE

Product Name: WebAdministrator Lite CMS

Affected Version From: LITE

Affected Version To: LITE

Patch Exists: NO

Related CWE: N/A

CPE: a:jskinternet:webadministrator_lite_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

SQL injection vulnerability in WebAdministrator Lite CMS

Input passed via the 's' parameter to download.php is not properly sanitised before being used in a SQL query.

Mitigation:

Input validation of 's' parameter should be corrected.

Source

Exploit-DB raw data:

============ { Ariko-Security - Advisory #5/2/2010 } =============

       SQL injection vulnerability in WebAdministrator Lite CMS 


Vendor's Description of Software:
# http://jskinternet.pl/portal/jsk/3/Oferta.html

Dork:
# webadministrator lite

Application Info:
# Name: WebAdministrator Lite CMS
# Versions: LITE

Vulnerability Info:
# Type: SQL injection Vulnerability
# Risk: medium

Fix: 
# N/A

Time Table:
# 25/02/2010 - Vendor notified.
# 25/02/2010 - Vendor response "we will not release FIX for LITE, soon 

new version"....


Input passed via the "s" parameter to download.php is not properly 

sanitised before being used in a SQL query.

Solution:
# Input validation of "s" parameter should be corrected.


Vulnerability:
# http://[site]/download.php?s=[SQLi]&id=2324 

Credit:
# Discoverd By: MG
# Website: http://Ariko-security.com
# Contacts: support[-at-]ariko-security.com


Ariko-Security
Maciej Gojny
vuln@ariko-security.com
tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)