# Title: [SQL injection vulnerability in SmartCMS v.2] # Date: [04.05.2010] # Author: [Ariko-Security] # Software Link: [http://www.smartwebsites.com.cy/] # Version: [V.2] ============ { Ariko-Security - Advisory #1/5/2010 } ============= SQL injection vulnerability in SmartCMS v.2 Vendor's Description of Software: # http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en Dork: # n/a Application Info: # Name: SmartCMS # Versions: V.2 Vulnerability Info: # Type: SQL injection Vulnerability # Risk: medium Fix: # N/A Time Table: # 22/04/2010 - Vendor notified. Input passed via the "pageid" ,"lang" parameters to index.php is not properly sanitised before being used in a SQL query. Solution: # Input validation of "pageid","lang" parameters should be corrected. Vulnerability: # http://[site]/index.php?pageid=[SQLi]&lang=[SQLi] Credit: # Discoverd By: MG #Advisory: http://www.ariko-security.com/apr2010/audyt_bezpieczenstwa_652.html # Website: http://Ariko-security.com # Contacts: support[-at-]ariko-security.com Ariko-Security vuln@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)