Professional Site Immobiliare suffers from a remote SQL injection vulnerability.
1ef6bcaf9386474e2fd4b53671de31db7030b2bfa208c9f83e83a02c604232db
============ { Advisory 25/08/2010 } =============
Professional Site Immobiliare Multiple vulnerabilities
Vendor's Description of Software:
# http://www.sitomastro.com
Application Info:
# Name: Professional Site Immobiliare
===============================================
Vulnerability Info:
# Type: SQL injection
# Risk: High
Solution:
# Input validation of "id_annuncio" parameter should be filtered.
Vulnerability:
# http://
[site]/app_immobiliare/visualizza_annuncio.aspx?id_annuncio=1+[SQLi]
-----------------------------------------------
Vulnerability Info:
# Type: Remote File Upload
# Risk: High
Solution:
# Image validation should be on server side and not accessible.
Vulnerability:
# http://[site]/Admin/mod_cont_mod.asp?Id=4&GP_upload=true
================================================
Time Table:
# 03/06/2010 - Vendor notified.
Fix:
# N/A
Credits:
# Discoverd By: Locu
# Website: http://xlocux.wordpress.com
# Contacts: xlocux[-at-]gmail.com