Danger Security Team Discover bizidea CMS SQLi Vulnerability

Iranian hackers from Danger Security Team have discover SQL Injection bug:

BizIdea Design CMS 2015Q3 SQL Injection Vulnerability

Detail

Remote sql injection web vulnerability have been discovered in official bizidea Design content management system The vulnerability allow remote attackers to execute own sql commands to compromise the web application or database management system

The vulnerability is located in `news_id` value of `index.php` file Remote attacker is able to execute own sql commands by manipulation of GET method request with vulnerable news_id parameter The request method to inject the sql command is GET and issue is located on application side of online service

Security risk of sql injection vulnerability is high with cvss -common vulnerability scoring system- of 8.7 Exploitation of remote sql injection web vulnerability require no user interactions or privilege web application user accounts Successful exploitation of remote sql injection result in database management system web server And web application compromise

Fix

The sql injection vulnerability is patched by use of secure prepared statement or entity on requests via GET with the vulnerable news_id value Disallow special chars and escape to filter the input of the parameter

Bug found by:

wild.soldier –behrouz mansoori- Danger Security Team
Thank: Nima Danger Mehran_FLash And all Members …

All detail here: http://iedb.ir/exploits-3606.html

Leave a Reply

Your email address will not be published. Required fields are marked *