<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in MyDMS




--------------------------------------------------------------------------- 
                Multiple vulnerabilities in  MyDMS  
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
MyDMS 
 
MyDMS is an open-source 
document-management-system based on PHP 
and MySQL  
published under the GPL. 
 
Web : http://dms.markuswestphal.de/about.html 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. SQL Injection Vulnerability 
 
A1. An SQL Injection vulnerability found in the 
file /demo/out/out.ViewFolder.php.  
The parameter "FolderId" is not correctly 
sanitized and an attacker can inject 
any SQL valid command. You can try the error : 
 
        
http://<host-with-mydmbs>/demo/out/out.ViewFolder.php?folderid=3 
or 1=1as 
 
NOTE : I put or 1=1as, well, this doesn't work, 
but you can see the entire  
SQL query that the server executes. 
 
B. Unspecified File Download Vulnerability 
 
B1. An error in the MyDMS software allows to a 
registered users (and only to 
registered users) to download any file, such 
as /etc/passwd, by inserting in a  
parameter a text such as ../../../../../etc/passwd. 
 
Affected Versions :  
~~~~~~~~~~~~~~~~~~~ 
 
The SQL Injection problem is in versions prior to 
1.4.2. 
The file download problem is in all versions. 
 
The fix: 
~~~~~~~~ 
 
The SQL Injection problem is corrected in the 
version 1.4.2. 
The file download problem is not corrected but 
vendor is contacted.  
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es