Tags
0-day-publish, application flaw, attack prevention, computer exploit, cyber-intelligence, database, diebiyi, Gcon Tech, hacker tester, inzeed, jing wang, may 23, PHP Code, Solutions, SQL Injection, tetraph, v1.0, whitehat-post
Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities
Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter SQL Injection Security Vulnerabilities
Product: Gcon Tech Solutions
Vendor: Gcon Tech Solutions
Vulnerable Versions: v1.0
Tested Version: v1.0
Advisory Publication: May 24, 2015
Latest Update: May 24, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Recommendation Details:
(1) Vendor & Product Description:
Vendor:
Gcon Tech Solutions
Product & Vulnerable Versions:
Gcon Tech Solutions
v1.0
Vendor URL & Download:
Gcon Tech Solutions can be obtained from here,
http://www.gconts.com/Development.htm
Google Dork:
“Developed and maintained by Gcon Tech Solutions”
Product Introduction Overview:
“Over the years we have developed business domain knowledge various business areas. We provide Development Services either on time and material or turn-key fixed prices basis, depending on the nature of the project. Application Development Services offered by Gcon Tech Solutions help streamline business processes, systems and information. Gcon Tech Solutions has a well-defined and mature application development process, which comprises the complete System Development Life Cycle (SDLC) from defining the technology strategy formulation to deploying, production operations and support. We fulfill our client’s requirement firstly from our existing database of highly skilled professionals or by recruiting the finest candidates locally. We analyze your business requirements and taking into account any constraints and preferred development tools, prepare a fixed price quote. This offers our customers a guaranteed price who have a single point contact for easy administration. We adopt Rapid Application Development technique where possible for a speedy delivery of the Solutions. Salient Features of Gcon Tech Solutions Application Development Services: (a) Flexible and Customizable. (b) Industry driven best practices. (c) Knowledgebase and reusable components repository. (d) Ensure process integration with customers at project initiation”
(2) Vulnerability Details:
Gcon Tech Solutions web application has a computer cyber security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Gcon Tech Solutions has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to SQL Injection vulnerabilities and cyber intelligence recommendations.
(2.1) The first programming code flaw occurs at “content.php?” page with “&id” parameter.
References:
http://www.tetraph.com/security/sql-injection-vulnerability/gcon-tech-solutions-v1-0-sql/
http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-sql.html
http://www.diebiyi.com/articles/security/gcon-tech-solutions-v1-0-sql/
http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-sql/
http://computerobsess.blogspot.com/2015/05/gcon-tech-solutions-v10-sql.html
https://itswift.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-sql/
http://whitehatpost.blog.163.com/blog/static/242232054201542455422939/
https://webtechwire.wordpress.com/2015/05/24/gcon-tech-solutions-v1-0-sql/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html
http://cxsecurity.com/issue/WLB-2015040036
http://seclists.org/fulldisclosure/2015/May/32
https://www.bugscan.net/#!/x/21454
http://lists.openwall.net/full-disclosure/2015/05/08/8
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1955
IT Swift - Know IT News Swiftly
Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities
Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter SQL Injection Security Vulnerabilities
Product: Gcon Tech Solutions
Vendor: Gcon Tech Solutions
Vulnerable Versions: v1.0
Tested Version: v1.0
Advisory Publication: May 24, 2015
Latest Update: May 24, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Recommendation Details:
(1) Vendor & Product Description:
Vendor:
Gcon Tech Solutions
Product & Vulnerable Versions:
Gcon Tech Solutions
v1.0
Vendor URL & Download:
Gcon Tech Solutions can be obtained from here,
http://www.gconts.com/Development.htm
Google Dork:
“Developed and maintained by Gcon Tech Solutions”
Product Introduction Overview:
“Over the years…
View original post 319 more words