PHPDeveloper.org: FrSIRT: Vivvo Article Management CMS SQL Injection and PHP File Inclusion Vulnerabilities

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Job Posting: Vermont Information Processing Seeks Senior/Lead PHP Developer (Burlington, VT)

Job Posting: Mediware Blood Center Technologies Seeks PHP Software Developer (Jacksonville, FL)

PHP Zone: Can Learning Drupal Get You a Job?

Job Posting: Tilllate Media Seeks Senior PHP Developer (Glasgow, UK)

Job Posting: Agency Matrix Seeks Senior Application Developer (Addison, TX)

Job Posting: HUGE Seeks Freelance Zend/WordPress Developer (Brooklyn, NY)

Job Posting: Abbott Laboratories Seeks PHP Developer (Irving, TX)

Job Posting: BetFair Seeks Lead Software Engineer (Web)

Job Posting: Uplifting Innovations Seeks Lead PHP Developer (Portland, OR)

Job Posting: Ganz Seeks PHP Developer (Toronto, Ontario)

News Archive

Symfony Blog: Running a TV station with symfony

Eli White's Blog: Conferences, Speakers & Presentations

Ibuildings techPortal: Zend Studio formatted for Zend Framework and ATK

NETTUTS.com: How to Create a PHP/MySQL Powered Forum from Scratch

InsicDesigns Blog: Embracing PHP 5.3 MVC with MiMViC

Brandon Savage's Blog: Learning Zend Framework: A Case Study

Ibuildings Blog: New white paper: Continuous Integration

Site News: Blast from the Past - One Year Ago in PHP

P'unk Avenue Blog: Faster, PHP! Kill! Kill!

Jack Diederich's Blog: Comparing the Ruby/PHP/Python C Interpreters

FrSIRT:
Vivvo Article Management CMS SQL Injection and PHP File Inclusion Vulnerabilities

by Chris Cornutt September 18, 2006 @ 14:08:57

The FrSIRT site has posted a new advisory for users of the Vivvo Article Management CMS software about potential holes that could allow for some very large-scale damage to be done.

Multiple vulnerabilities have been identified in Vivvo Article Management CMS, which could be exploited by remote attackers to compromise a vulnerable server.

The first issue is due to an input validation error in the "pdf_version.php" script that does not validate the "id" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.

The second vulnerability is due to an input validation error in the "index.php" script that do not validate the "classified_path" parameter, which may be exploited by remote attackers to include local or remote scripts with the privileges of the web server.

Versions 3.2 and higher of the software are effected, and, unfortunately, there has been no patch issued for the issue.

0 comments voice your opinion now!
security issue vivvo article management cms sql injection file inclusion security issue vivvo article management cms sql injection file inclusion

Similar Posts

Gareth Heyes' Blog: Exploiting PHP SELF

The Bakery: 10 New CakePHP Articles, Tutorials and Helpers

Internet Storm Center: Invision Power Board Vulnerability

Joshua Eichorn\'s Blog: PHP AJAX File Upload Progress Meter Updates

Community News: Vote on the Best Open Source CMS

Community Events

Don't see your event here?
Let us know!

All content copyright, 2010 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework