DPScms suffers from cross site scripting and remote SQL injection vulnerabilities.
1172dd0a331d74d1bba9483ebae01ac36691c8810418b49d871d17ac78d279fa
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Ariko-Security: Security Audits , Audyt bezpieczenstwa
# Advisory: 702/2010
============ { Ariko-Security - Advisory #3/6/2010 } =============
XSS vulnerability and SQL injection in DPScms ALL versions
Vendor's Description of Software:
# https://www.dpscms.pl
Dork:
# N/A
Application Info:
# Name: DPScms
# ALL versions
Vulnerability Info:
# Type: XSS, SQL injection
Time Table:
# 22/06/2010 - Vendor notified.
Fix:
# FIXED 29.06.2010
Input passed via the "q" parameter to index.php is not properly
sanitised before being used in a SQL query.
Input passed to the "q" parameter in index.php is not properly
sanitised before being returned to the user.
Solution:
# Input validation of q parameter should be corrected.
Vulnerability:
# https://[site]/index.php?q=[SQLi]
# https://[site]/index.php?q=[XSS]
Credit:
# Discoverd By: MG / Ariko-Security 2010
Advisory:
# https://www.ariko-security.com/june2010/audyt_bezpieczenstwa_702.html