[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple vulnerabilities in MyDMS
From: Jose Antonio <joxeankoret () yahoo ! es>
Date: 2004-08-20 22:50:36
Message-ID: 20040820225036.17877.qmail () www ! securityfocus ! com
[Download RAW message or body]
---------------------------------------------------------------------------
Multiple vulnerabilities in MyDMS
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyDMS
MyDMS is an open-source
document-management-system based on PHP
and MySQL
published under the GPL.
Web : http://dms.markuswestphal.de/about.html
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. SQL Injection Vulnerability
A1. An SQL Injection vulnerability found in the
file /demo/out/out.ViewFolder.php.
The parameter "FolderId" is not correctly
sanitized and an attacker can inject
any SQL valid command. You can try the error :
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3
or 1=1as
NOTE : I put or 1=1as, well, this doesn't work,
but you can see the entire
SQL query that the server executes.
B. Unspecified File Download Vulnerability
B1. An error in the MyDMS software allows to a
registered users (and only to
registered users) to download any file, such
as /etc/passwd, by inserting in a
parameter a text such as ../../../../../etc/passwd.
Affected Versions :
~~~~~~~~~~~~~~~~~~~
The SQL Injection problem is in versions prior to
1.4.2.
The file download problem is in all versions.
The fix:
~~~~~~~~
The SQL Injection problem is corrected in the
version 1.4.2.
The file download problem is not corrected but
vendor is contacted.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic