August 20, 2006

PinoyInfosec Advisory

PI-2006-001: Web500 CMS Multiple SQL Injection Vulnerabilities



BACKGROUND

Web500 CMS is an Enterprise Web Content Management product.

http://www.web500.com/


VULNERABILITY DESCRIPTION

Web500 does not have proper input validation in the fronteditor 
script which allows an attacker to execute arbitrary SQL commands. 
This allows an attacker to manipulate data on the CMS by passing 
specially crafted SQL statements through the Dbcountry variable.


AFFECTED VERSION: 

2.80


SOLUTION

As a temporary solution, restrict public access to the /fronteditor/ 
folder.


VENDOR RESPONSE

The vendor has been notified.


DISCLOSURE TIMELINE

08/20/2006  Initial vendor notification.


CREDIT

This vulnerability was discovered by Daniel Tumalad of SGV-ACCeS.

danieltumalad[at]yahoo.com



"DMonkey lives."