Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Multiple vulnerabilities in MyDMS
Aug 20 2004 10:50PM
Jose Antonio (joxeankoret yahoo es)
------------------------------------------------------------------------
---
Multiple vulnerabilities in MyDMS
------------------------------------------------------------------------
---
Author: Joxean Koret
Date: 2004
Location: Basque Country
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyDMS
MyDMS is an open-source
document-management-system based on PHP
and MySQL
published under the GPL.
Web : http://dms.markuswestphal.de/about.html
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. SQL Injection Vulnerability
A1. An SQL Injection vulnerability found in the
file /demo/out/out.ViewFolder.php.
The parameter "FolderId" is not correctly
sanitized and an attacker can inject
any SQL valid command. You can try the error :
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3
or 1=1as
NOTE : I put or 1=1as, well, this doesn't work,
but you can see the entire
SQL query that the server executes.
B. Unspecified File Download Vulnerability
B1. An error in the MyDMS software allows to a
registered users (and only to
registered users) to download any file, such
as /etc/passwd, by inserting in a
parameter a text such as ../../../../../etc/passwd.
Affected Versions :
~~~~~~~~~~~~~~~~~~~
The SQL Injection problem is in versions prior to
1.4.2.
The file download problem is in all versions.
The fix:
~~~~~~~~
The SQL Injection problem is corrected in the
version 1.4.2.
The file download problem is not corrected but
vendor is contacted.
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
------------------------------------------------------------------------
---
Multiple vulnerabilities in MyDMS
------------------------------------------------------------------------
---
Author: Joxean Koret
Date: 2004
Location: Basque Country
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyDMS
MyDMS is an open-source
document-management-system based on PHP
and MySQL
published under the GPL.
Web : http://dms.markuswestphal.de/about.html
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. SQL Injection Vulnerability
A1. An SQL Injection vulnerability found in the
file /demo/out/out.ViewFolder.php.
The parameter "FolderId" is not correctly
sanitized and an attacker can inject
any SQL valid command. You can try the error :
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3
or 1=1as
NOTE : I put or 1=1as, well, this doesn't work,
but you can see the entire
SQL query that the server executes.
B. Unspecified File Download Vulnerability
B1. An error in the MyDMS software allows to a
registered users (and only to
registered users) to download any file, such
as /etc/passwd, by inserting in a
parameter a text such as ../../../../../etc/passwd.
Affected Versions :
~~~~~~~~~~~~~~~~~~~
The SQL Injection problem is in versions prior to
1.4.2.
The file download problem is in all versions.
The fix:
~~~~~~~~
The SQL Injection problem is corrected in the
version 1.4.2.
The file download problem is not corrected but
vendor is contacted.
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[ reply ]