---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Symphony SQL Injection and File Upload Vulnerabilities SECUNIA ADVISORY ID: SA31293 VERIFY ADVISORY: http://secunia.com/advisories/31293/ CRITICAL: Highly critical IMPACT: Security Bypass, Manipulation of data, System access WHERE: >From remote SOFTWARE: Symphony 1.x http://secunia.com/product/19419/ DESCRIPTION: Raz0r has reported two vulnerabilities in Symphony, which can be exploited by malicious users to compromise a vulnerable system, and by malicious people to conduct SQL injection attacks. 1) Input passed in the "sym_auth" cookie to index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability allows e.g. logging in as administrator without valid administrator credentials. 2) A vulnerability is caused due to missing restrictions on what file types that users are allowed to upload in the File Manager. This can be exploited to execute arbitrary PHP code. Successful exploitation of this vulnerability requires valid administrator credentials (but see #1). The vulnerabilities are reported in version 1.7.01 downloaded before 2008-08-02 and all previous 1.x versions. SOLUTION: Apply the vendor's official patch: http://overture21.com/forum/comments.php?DiscussionID=1823 PROVIDED AND/OR DISCOVERED BY: Raz0r ORIGINAL ADVISORY: http://milw0rm.com/exploits/6177 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------