BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Monstra CMS Blind SQL Injection Vulnerability

Disclosed September 20, 2013    Zeroday : 377 days

Vulnerability Description:

A blind SQL injection vulnerability exists in the login submit module, via a POST request. Attackers are able to abuse the ‘login id’ parameter to inject malicious SQL commands, which could be used to completely compromise the database’s integrity.

Vendors:

Sergey Romanenko

Vulnerable Software/Devices:

Monstra Content Management System 1.2.0

Vulnerability Severity:

Medium

Exploit Availability:

No Exploit Available

Exploit Impact:

SQL Injection
A remote attacker is able to change the value of certain parameters in a query within Monstra CMS, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 30709 - Monstra CMS Blind SQL Injection Vulnerability (20130926) (Zero-Day)

Mitigation:

Until a patch is released, administrators can escape the login input via POST request method.

Links:

CVE(s):

None