ContentNow Index.PHP SQL Injection Vulnerability

Bugtraq ID:	21237
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Nov 21 2006 12:00AM
Updated:	Nov 24 2006 06:50PM
Credit:	Revenge is credited with the discovery of this vulnerability.
Vulnerable:	ContentNow ContentNow 1.39 ContentNow ContentNow 1.30
Not Vulnerable:	ContentNow ContentNow 1.40

ContentNow Index.PHP SQL Injection Vulnerability

ContentNow is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

This issue affects version 1.39; earlier versions may also be vulnerable.

ContentNow Index.PHP SQL Injection Vulnerability

An attacker can exploit this issue via a web client.

ContentNow Index.PHP SQL Injection Vulnerability

Solution:
The vendor has released version 1.40 to address this issue.


ContentNow ContentNow 1.30

• ContentNow contentNow_140.zip
  http://downloads.sourceforge.net/contentnow/contentNow_140.zip?modtime =1164122911&big_mirror=0

ContentNow ContentNow 1.39

• ContentNow contentNow_140.zip
  http://downloads.sourceforge.net/contentnow/contentNow_140.zip?modtime =1164122911&big_mirror=0

ContentNow Index.PHP SQL Injection Vulnerability

References:

• Vendor Home Page (ContentNow)
  
• ContentNow CMS 1.39 Sql Injection + Path Disclosure Vulnerabilities ([email protected])