Vulnerability Note VU#368300
Hummingbird CyberDOCS vulnerable to SQL injection
Overview
Hummingbird CyberDOCS contains an SQL injection vulnerability that could allow a remote attacker to execute SQL commands.
Description
Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. The login page (loginact.asp on IIS) does not properly filter user input, allowing a remote attacker to supply SQL commands that may be executed by the underlying database. |
Impact
Depending on the configuration of the database system, an unauthenticated, remote attacker may be able to execute operating system commands, modify databases, or determine system configuration information. |
Solution
Upgrade This vulnerability does not exist in CyberDOCS 3.9 or later. Hummingbird recommends that customers upgrade to the most recent version of CyberDOCS. |
|
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Hummingbird | Vulnerable | 17 Sep 2003 | 09 Oct 2003 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.procheckup.com/security_info/vuln_pr0304.html
- http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3
Credit
This vulnerability was discovered and reported by ProCheckUp.
This document was written by Art Manion.
Other Information
- CVE IDs: Unknown
- Date Public: 06 Oct 2003
- Date First Published: 09 Oct 2003
- Date Last Updated: 09 Oct 2003
- Severity Metric: 3.90
- Document Revision: 17
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify
