Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:SQL:INJ:FACTO-CMS

Severity

 Medium

Recommended

 No

Category

 HTTP

Keywords

 FactoSystem CMS SQL Injection

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: FactoSystem CMS SQL Injection


This signature detects attempts to exploit a known vulnerability in the FactoSystem Content Management System (CMS). Attackers can introduce instructions into a SQL query to create a non-authorized CMS account.

Extended Description

FactoSystem Weblog is a freely available, open source software package for weblogging and managing content. It is available for Microsoft Windows operating systems. FactoSystem does not adequately filter special characters from requests. Because of this, it may be possible for a remote user to submit a request containing encoded special characters and SQL, and execute arbitrary commands. This could lead to execution of SQL commands in the security context of web database user.

Affected Products

  • FactoSystem FactoSystem Weblog 0.9.0 b
  • FactoSystem FactoSystem Weblog 1.0.0 Beta
  • FactoSystem FactoSystem Weblog 1.1.0 Beta

References

  • BugTraq: 5600
  • CVE: CVE-2002-1499
  • URL: http://online.securityfocus.com/archive/1/290021
  • URL: http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0097.html
  • URL: http://sourceforge.net/tracker/index.php?func=detail&aid=602711&group_id=12668&atid=112668

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out