============ { Advisory 25/08/2010 } =============

 Professional Site Immobiliare Multiple vulnerabilities



Vendor's Description of Software:
# http://www.sitomastro.com


Application Info:
# Name: Professional Site Immobiliare

===============================================

Vulnerability Info:
# Type: SQL injection
# Risk: High

Solution:

# Input validation of "id_annuncio" parameter should be filtered.


Vulnerability:
# http://
[site]/app_immobiliare/visualizza_annuncio.aspx?id_annuncio=1+[SQLi]

-----------------------------------------------

Vulnerability Info:
# Type: Remote File Upload
# Risk: High

Solution:

# Image validation should be on server side and not accessible.


Vulnerability:
# http://[site]/Admin/mod_cont_mod.asp?Id=4&GP_upload=true


================================================

Time Table:
# 03/06/2010 - Vendor notified.

Fix:
# N/A

Credits:
# Discoverd By: Locu
# Website: http://xlocux.wordpress.com
# Contacts: xlocux[-at-]gmail.com