[VIM] vendor dispute: 22066: SpireMedia CMS index.cfm cid Variable SQL Injection (fwd)
jericho at attrition.org
Wed Jan 18 00:06:33 EST 2006
---------- Forwarded message ----------
From: Thaddeus Wakefield Batt
To: moderators at osvdb.org
Cc: matthew at spiremedia.com, jlopez at spiremedia.com
Date: Tue, 17 Jan 2006 21:42:37 -0700
Subject: [OSVDB Mods] [Change Request] 22066: SpireMedia CMS index.cfm cid
Variable SQL Injection
You have published a security related issue regarding our software: "SpireMedia CMS is prone to an SQL injection
vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in
an SQL query. "
This information is incorrect, unproven, and potentially slanderous. When confronted with an invalid cid, the spiremedia cms
will either display a
Oops! We could not find the page you are trying to access.
if the cid presented is an integer, or a
Invalid data foobar for CFSQLTYPE CF_SQL_INTEGER.
if the cid presented is a string.
Please either validate or remove this information from your site immediately.
thaddeus wakefield batt, cto/coo
S PIRE M EDIA ® , INC.
inspired technology. inspired results.
http://www.spiremedia.com/ :|:|: vox: (303) 620-9974
fax: (303) 629-6385 :|:|: icq: 229911936
More information about the VIM