绿意蛙鸣

毕竟西湖六月中,风光不与四时同。
接天莲叶无穷碧,映日荷花别样红。

【转载】CVE-2014-9558 SmartCMS Multiple SQL Injection

来自:醉雨他乡游

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

 

Advisory Details:

 

 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

 

 

Product Description:

“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

 

 

 

(2) Vulnerability Details:

SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.

 

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

 

 

 

 

References:

http://www.tetraph.com/security/cves/cve-2014-9558-smartcms-sql-injection-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9558

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1501

http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201501-607

http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html

http://webtechhut.blogspot.com/2015/02/cve-2014-9558-smartcms-multiple-sql.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9558

https://biyiniao.wordpress.com/2015/02/11/cve-2014-9558-smartcms-multiple-sql-injection-security-vulnerability/

http://xforce.iss.net/xforce/xfdb/100332

http://lifegrey.tumblr.com/post/110700573094/ithut-cve-2014-9558-smartcms-multiple-sql

http://milw00rm.com/exploits/6672

http://guyuzui.lofter.com/post/1ccdcda4_5c409ca

http://www.inzeed.com/kaleidoscope/cves/cve-2014-9558-smartcms-multiple-sql-injection-security-vulnerability/

http://whitehatpost.blog.163.com/blog/static/242232054201511112757529/

 

 

 

 

评论