[VIM] Blue CMS `X-Forwarded-For' Header SQL Injection Vulnerability
rkeith
rkeith at securityfocus.com
Tue Sep 7 10:54:46 CDT 2010
Hey George,
Thanks for noting that, looks like we had the wrong reference.
Updating the BID, should be out shortly.
-Rob
George A. Theall wrote:
> Bugtraq 42999 covers a vulnerability based apparently on the advisory
> published at <http://bbs.wolvez.org/viewtopic.php?id=148>. The exploit
> has the string "BlueCMS v1.6 sp1" and involves the script 'comment.php'
> but doesn't otherwise point to the vendor.
>
> SecurityFocus in its BID references
> <http://www.bluefountain.com/solutions/blue-cms-content-management-system>,
> an English company with a couple of different products, one of which is
> "Blue CMS". While I don't see a download for that product or a demo, so
> I can't be sure. Still, the product description talks about it using
> Plone, which makes me wonder if the reference isn't wrong.
>
> And indeed, if you search on 'bluecms "v1.6"', one of the top hits
> uncovered is to http://www.bluecms.net/, a Chinese site, which offers a
> download for "BlueCMS v1.6 sp1" and seems to require PHP and MySQL.
> Unfortunately, the download link doesn't work currently.
>
> Any thoughts? Rob?
>
>
> George
--
Rob Keith
Symantec
More information about the VIM
mailing list