Concrete CMS SQL Injection Vulnerability Network Vulnerability

Summary

The host is installed with Concrete CMS and is prone to sql injection vulnerability

Impact

Successful exploitation will allow remote attackers to execute arbitrary SQL commands in applications database and gain complete control over the vulnerable web application. Impact Level: Application

Solution

Upgrade to version 5.6.3 or later, For updates refer to https://www.concrete5.org

Insight

The flaw is due to improper validation of 'cID' parameter passed to '/index.php' script.

Affected

Concrete CMS version 5.6.2.1

Detection

Send a crafted exploit string via HTTP GET request and check whether it is possible to execute sql query.

References

http://1337day.com/exploit/21919
http://packetstormsecurity.com/files/125280/concrete5-sql.txt
http://www.exploit-db.com/exploits/31735/

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Admin Bot 'news.php' SQL Injection Vulnerability
ActivDesk Multiple Cross Site Scripting and SQL Injection Vulnerabilities
Apache Archiva Multiple Remote Command Execution Vulnerabilities
b2ePMS Multiple SQL Injection Vulnerabilities
b2Evolution title SQL Injection

Take action and discover your vulnerabilities