Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the lid parameter to (1) brokenfile.php, (2) visit.php, or (3) ratefile.php in modules/mydownloads/; or (4) ratelink.php, (5) modlink.php, or (6) brokenlink.php in modules/mylinks/.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://www.exploit-db.com/exploits/4787 | exploit |
| http://osvdb.org/41240 | vdb entry |
| http://osvdb.org/41238 | vdb entry |
| http://osvdb.org/41235 | vdb entry |
| http://www.runcms.org/modules/mydownloads/singlefile.php?lid=131 | |
| https://www.exploit-db.com/exploits/4790 | exploit |
| http://osvdb.org/41239 | vdb entry |
| http://www.securityfocus.com/bid/27019 | exploit vdb entry patch |
| http://osvdb.org/41236 | vdb entry |
| http://osvdb.org/41237 | vdb entry |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/39289 | vdb entry |
| http://securityreason.com/securityalert/3493 | third party advisory |
| http://www.securityfocus.com/archive/1/485512/100/0/threaded | mailing list |