[VIM] vendor dispute: 22066: SpireMedia CMS index.cfm cid Variable SQL Injection (fwd)

security curmudgeon jericho at attrition.org
Wed Jan 18 00:06:33 EST 2006

---------- Forwarded message ----------
From: Thaddeus Wakefield Batt
To: moderators at osvdb.org
Cc: matthew at spiremedia.com, jlopez at spiremedia.com
Date: Tue, 17 Jan 2006 21:42:37 -0700
Subject: [OSVDB Mods] [Change Request] 22066: SpireMedia CMS index.cfm cid
     Variable  SQL Injection


You have published a security related issue regarding our software:  "SpireMedia CMS is prone to an SQL injection
vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in
an SQL query. "

This information is incorrect, unproven, and potentially slanderous.  When confronted with an invalid cid, the spiremedia cms
will either display a
                                      Oops! We could not find the page you are trying to access.

if the cid presented is an integer, or a
                                          Invalid data foobar for CFSQLTYPE CF_SQL_INTEGER.

if the cid presented is a string.

Please either validate or remove this information from your site immediately.


thaddeus wakefield batt, cto/coo
inspired technology. inspired results.
http://www.spiremedia.com/ :|:|: vox: (303) 620-9974
fax: (303) 629-6385 :|:|: icq: 229911936

More information about the VIM mailing list