Multiple vulnerabilities in MyDMS
---------------------------------------------------------------------------
Multiple vulnerabilities in MyDMS
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyDMS
MyDMS is an open-source
document-management-system based on PHP
and MySQL
published under the GPL.
Web : http://dms.markuswestphal.de/about.html
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. SQL Injection Vulnerability
A1. An SQL Injection vulnerability found in the
file /demo/out/out.ViewFolder.php.
The parameter "FolderId" is not correctly
sanitized and an attacker can inject
any SQL valid command. You can try the error :
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3
or 1=1as
NOTE : I put or 1=1as, well, this doesn't work,
but you can see the entire
SQL query that the server executes.
B. Unspecified File Download Vulnerability
B1. An error in the MyDMS software allows to a
registered users (and only to
registered users) to download any file, such
as /etc/passwd, by inserting in a
parameter a text such as ../../../../../etc/passwd.
Affected Versions :
~~~~~~~~~~~~~~~~~~~
The SQL Injection problem is in versions prior to
1.4.2.
The file download problem is in all versions.
The fix:
~~~~~~~~
The SQL Injection problem is corrected in the
version 1.4.2.
The file download problem is not corrected but
vendor is contacted.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es