Detections
Analytics
Etomite CMS index.php id Parameter SQL Injection
medium Nessus Plugin ID 23724
Language:
Synopsis
The remote web server contains a PHP script that is affected by a SQL injection vulnerability.Description
The remote web server is running Etomite CMS, a PHP-based content management system.The version of Etomite CMS installed on the remote host fails to sanitize input to the 'id' parameter before using it in the 'index.php' script in a database query. Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can exploit this issue to manipulate SQL queries, possibly leading to disclosure of sensitive data, attacks against the underlying database, and the like.
Solution
No patches or upgrades have been reported by the vendor at this time.See Also
https://www.securityfocus.com/archive/1/451838/30/0/threaded
Plugin Details
Severity: Medium
ID: 23724
File Name: etomite_0612_sql_injection.nasl
Version: 1.23
Type: remote
Family: CGI abuses
Published: 11/23/2006
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.6
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 6.1
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
Required KB Items: www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 11/16/2006
Reference Information
CVE: CVE-2006-6048
BID: 21135