MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities

2013-Predictions-Computer-Security-Threats-Cyber-Warfare

MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities



Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Security Vulnerabilities

Product: Web-Design

Vendor: MT.VERNON MEDIA

Vulnerable Versions: v1.12

Tested Version: v1.12

Advisory Publication: May 08, 2015

Latest Update: May 08, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Credit: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Proposition Details:



(1) Vendor & Product Description:



Vendor:

MT.VERNON MEDIA



Product & Vulnerable Versions:

Web-Design

v1.12



Vendor URL & Download:

MT.VERNON MEDIA can be obtained from here,

http://www.mtvernonmedia.com/services/WebDesign.html


Google Dork:

“developed by: Mt. Vernon Media”




Product Introduction Overview:

“In today’s economy every business is more focused on ROI (Return On Investment) than ever before. We’ll help you ensure a solid ROI for your website, not only making it effective and easy to use for your clients, but helping you to drive traffic to your site and ensuring effective content and design to turn traffic into solid leads, sales, or repeat customers. We offer custom design and development services tailored to your needs and specifications drawn up jointly with you to ensure that the appropriate technology is leveraged for optimum results, creating a dynamic and effective design, based on market effectiveness and user-friendly design standards. Our developers are experts in web application development using various programming languages including Perl, SQL, C, C+, and many other back-end programming languages, as well as database integration. For a view of some of your past projects, take a look at our list of clients. We handle custom development of your Internet project from conception through publication:

Internet & Intranet sites

Design concepts, layouts, and specifications

Intuitive Graphical User Interface (GUI) design

Dynamic navigation design

Creation and manipulation of graphical design elements

GIF Animation

Flash development

HTML hand-coding and debugging

JavaScript for interactivity and error-checking

ASP (Active Server Pages)

Customized Perl CGI scripts (mailing lists, form submission, etc)

Customized application development in varied programming languages

Site publication and promotion

On-going updating and maintenance

Banner ads”





(2) Vulnerability Details:

MT.VERNON MEDIA web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.


Several other MT.VERNON MEDIA products 0-day vulnerabilities have been found by some other bug hunter researchers before. MT.VERNON MEDIA has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to SQL Injection vulnerabilities.



(2.1) The first programming code flaw occurs at “section.php?” page with “&id” parameter.


(2.2) The second programming code flaw occurs at “illustrated_verse.php?” page with “&id” parameter.


(2.3) The third programming code flaw occurs at “image.php?” page with “&id” parameter.







References:

http://www.tetraph.com/security/sql-injection-vulnerability/mt-vernon-media-web-design-v1-12-multiple-sql-injection/

http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple_8.html

http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-multiple-sql-injection/

https://progressive-comp.com/?a=139222176300014&r=1&w=1​

http://whitehatpost.blog.163.com/blog/static/242232054201548925221/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/mt-vernon-media-web-design-v1-12-multiple-sql-injection/

https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44951

https://www.bugscan.net/#!/x/21160

http://bluereader.org/article/27452998

Advertisements

One thought on “MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s