Danger Security Team Discover bizidea CMS SQLi Vulnerability
Iranian hackers from Danger Security Team have discover SQL Injection bug:
BizIdea Design CMS 2015Q3 SQL Injection Vulnerability
Detail
Remote sql injection web vulnerability have been discovered in official bizidea Design content management system The vulnerability allow remote attackers to execute own sql commands to compromise the web application or database management system
The vulnerability is located in `news_id` value of `index.php` file Remote attacker is able to execute own sql commands by manipulation of GET method request with vulnerable news_id parameter The request method to inject the sql command is GET and issue is located on application side of online service
Security risk of sql injection vulnerability is high with cvss -common vulnerability scoring system- of 8.7 Exploitation of remote sql injection web vulnerability require no user interactions or privilege web application user accounts Successful exploitation of remote sql injection result in database management system web server And web application compromise
Fix
The sql injection vulnerability is patched by use of secure prepared statement or entity on requests via GET with the vulnerable news_id value Disallow special chars and escape to filter the input of the parameter
Bug found by:
wild.soldier –behrouz mansoori- Danger Security Team
Thank: Nima Danger Mehran_FLash And all Members …
All detail here: http://iedb.ir/exploits-3606.html