Elxis CMS Banner Module MB_Tracker SQL Injection Vulnerability
TITLE: Elxis CMS Banner Module MB_Tracker SQL Injection Vulnerability
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 14 2007 12:00AM
UPDATE: Jun 15 2007 04:09AM
CREDIT: Nico Leidecker is credited with the discovery of this vulnerability.
VULNERABLE:
Elxis Elxis CMS 2006.4NOT VULNERABLE:
Elxis Elxis CMS 2006.3
Elxis Elxis CMS 2006.2
Elxis Elxis CMS 2006.1
Vai alla pagina originale su Security Focus
Discussion
The Banner Module for Elxis CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects Elxis 2006.4 and prior versions.
Exploit
Attackers can use a browser to exploit this issue.
Solution
Solution:
The vendor released an update to address this issue. Please see the references for more information.
Elxis Elxis CMS 2006.3
- Elxis mod_banners_patch_2006.zip
http://www.elxis.org/index.php?option=com_fserver&f=94
Elxis Elxis CMS 2006.2
- Elxis mod_banners_patch_2006.zip
http://www.elxis.org/index.php?option=com_fserver&f=94
Elxis Elxis CMS 2006.1
- Elxis mod_banners_patch_2006.zip
http://www.elxis.org/index.php?option=com_fserver&f=94
Elxis Elxis CMS 2006.4
- Elxis mod_banners_patch_2006.zip
http://www.elxis.org/index.php?option=com_fserver&f=94
References
References:
- Elxis CMS Homepage (Elxis )
- Security patch for module banners (Elxis )
- Elxis CMS <= 2006.4 - banner module - sql injection (nicoLeidecker@web.de)