--------------------------------------------------------------------------- Multiple vulnerabilities in MyDMS --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MyDMS MyDMS is an open-source document-management-system based on PHP and MySQL published under the GPL. Web : http://dms.markuswestphal.de/about.html --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. SQL Injection Vulnerability A1. An SQL Injection vulnerability found in the file /demo/out/out.ViewFolder.php. The parameter "FolderId" is not correctly sanitized and an attacker can inject any SQL valid command. You can try the error : http:///demo/out/out.ViewFolder.php?folderid=3 or 1=1as NOTE : I put or 1=1as, well, this doesn't work, but you can see the entire SQL query that the server executes. B. Unspecified File Download Vulnerability B1. An error in the MyDMS software allows to a registered users (and only to registered users) to download any file, such as /etc/passwd, by inserting in a parameter a text such as ../../../../../etc/passwd. Affected Versions : ~~~~~~~~~~~~~~~~~~~ The SQL Injection problem is in versions prior to 1.4.2. The file download problem is in all versions. The fix: ~~~~~~~~ The SQL Injection problem is corrected in the version 1.4.2. The file download problem is not corrected but vendor is contacted. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es