==========================================
Found by: WarGame
Group: EOF-PROJECT
Links & mail: http://www.eof-project.net - wargame@eof-project.net
Link to storye CMS: http://www.dol.it
==========================================

It is possible to inject sql code in storye CMS.
This is an asp CMS that allows you to handle dinamic site and so on ...
The flaw is present in the script "dettaglio.asp", the parameters id_doc and id_aut are not sanitized so it is possible to inject SQL code ( in some cases ).

Example:
http://www.dork.com/path_to_storye/dettaglio.asp?id_doc='[SQL code]
http://www.dork.com/path_to_storye/dettaglio.asp?id_aut='[SQL code]

Dorks in Google:

"powered by storye"