| VID |
21896 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Limbo CMS program is vulnerable to an SQL injection vulnerability via the 'catid' parameter. Limbo CMS is a content-management system (CMS) written in PHP. Limbo CMS version 1.0.4.2 and earlier versions are vulnerable to an SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'catid' parameter of the 'index.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself. In addition, it can also be exploited to bypass authentication.
* References:
http://www.securityfocus.com/archive/1/433221/30/0/threaded
http://forum.limboforge.org/index.php?topic=6.0
http://limboforge.org/web/component/option,com_remository/Itemid,1/func,fileinfo/id,115/
* Platforms Affected:
Limbo CMS version 1.0.4.2 and earlier versions
Any operating system Any version |
| Recommendation |
Apply cumulative patch v8 for version 1.0.4.2, available from the Limbo CMS Web site at http://limboforge.org/web/component/option,com_remository/Itemid,1/func,fileinfo/id,115/ |
| Related URL |
CVE-2006-2363 (CVE) |
| Related URL |
17870 (SecurityFocus) |
| Related URL |
26366 (ISS) |
|
