From: Jose Antonio (joxeankoretyahoo.es)
Date: Fri Aug 20 2004 - 17:50:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------------------------------------------------------------------------
                Multiple vulnerabilities in MyDMS
---------------------------------------------------------------------------
 
Author: Joxean Koret
Date: 2004
Location: Basque Country
 
---------------------------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
MyDMS
 
MyDMS is an open-source
document-management-system based on PHP
and MySQL
published under the GPL.
 
Web : http://dms.markuswestphal.de/about.html
 
---------------------------------------------------------------------------
 
Vulnerabilities:
~~~~~~~~~~~~~~~~
 
A. SQL Injection Vulnerability
 
A1. An SQL Injection vulnerability found in the
file /demo/out/out.ViewFolder.php.
The parameter "FolderId" is not correctly
sanitized and an attacker can inject
any SQL valid command. You can try the error :
 
        
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3
or 1=1as
 
NOTE : I put or 1=1as, well, this doesn't work,
but you can see the entire
SQL query that the server executes.
 
B. Unspecified File Download Vulnerability
 
B1. An error in the MyDMS software allows to a
registered users (and only to
registered users) to download any file, such
as /etc/passwd, by inserting in a
parameter a text such as ../../../../../etc/passwd.
 
Affected Versions :
~~~~~~~~~~~~~~~~~~~
 
The SQL Injection problem is in versions prior to
1.4.2.
The file download problem is in all versions.
 
The fix:
~~~~~~~~
 
The SQL Injection problem is corrected in the
version 1.4.2.
The file download problem is not corrected but
vendor is contacted.
 
---------------------------------------------------------------------------
Contact:
~~~~~~~~
 
        Joxean Koret at
joxeanpiti<<<<<<<<>>>>>>>>yah00<<<<<<dot>>>>>es
 
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]