WebMaster Solutions WmsCms default.asp/printpage.asp Eingabe SQL Injection

VulDB: WebMaster Solutions WmsCms default.asp/printpage.asp Eingabe SQL Injection

General

scipID: 5339
Affected: WebMaster Solutions WmsCms
Published: 06/06/2010 (MG)
Risk: problematic
Entry: 92% complete
Created: 05/08/2012
Updated: 09/03/2012

Summary

A vulnerability was found in WebMaster Solutions WmsCms and classified as problematic. This issue affects an unknown function of the file default.asp/printpage.asp. The manipulation as part of a Eingabe leads to a sql injection vulnerability. Impacted is confidentiality, integrity, and availability.

The weakness was shared 06/06/2010 by MG with Ariko-Security as 65465 as knowledge base article (OSVDB). The advisory is shared for download at osvdb.org. The vendor was not invovled in the public release. The identification of this vulnerability is CVE-2010-2317 since 06/17/2010. The exploitability is told to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.

An exploit has been developed by MG and been published even before and not after the advisory. The exploit is shared for download at exploit-db.com. The vulnerability was handled as a non-public zero-day exploit for at least 27 days. By approaching the search of inurl:default.asp/printpage.asp it is possible to find vulnerable targets with Google Hacking.

There are no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. The vulnerability is also documented in the databases at OSVDB (65465) and Secunia (SA25583). wmsdesign.net is providing further details.