CVE-2010-2342
high
CVSS v3
—
CVSS v4 NEW
—
VIR risk
8.5
Description
SQL injection vulnerability in onlinenotebookmanager.asp in DMXReady Online Notebook Manager 1.0 allows remote attackers to execute arbitrary SQL commands via the ItemID parameter.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Online Notebook Manager - SQL Injection
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title: Online Notebook Manager SQLi Vulnerability
Version:1.0
Price:$149.97
Vendor url:http://dmxready.com/?product=online-notebook-manager
Published: 2010-06-09
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer,d3c0d3r and to all ICW members
###############################################################################################################################################################################################
Online Notebook Manager SQLi Vulnerability
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
#####################################################################################################################################################################################################
Description:
DMXReady Online Notebook Manager is an easy-to-use application that helps you create, edit, and manage your online documents.
Use as a fast web publisher, build a mini-website, or keep it as your own private online journal.
1. Use with any standard web browser like Internet Explorer, Firefox, Safari
2. Structure your notebook as an online document or mini-website
3. Publish your information quickly and easily - no need for IT
4. Navigate easily with built-in Navigation Bar/Table of Contents
5. Skin with ANY template using Dreamweaver or any other HTML editor
6. Enhance your content by embedding Web 2.0 apps like Google Docs and YouTube Videos
7. Use as a stand-alone, or integrate with your current website
8. Easily find content with built-in keyword search
9. Secure admin pages - built-in login with lost password feature
10. W3C Valid CSS and XHTML markup
11. MySQL, MSSQL compatible
12. Create multiple notebooks with just one installation!
Creating your own online content does not get any easier. DMXReady Online Notebook Manager offers all the flexibility and functionality you need to collect, store, and publish your information.
#######################################################################################################################################################################################################
Vulnerability:
*SQLi Vulnerability
Admin Control:
Usename:admin
Password:admin
DEMO URL :http://site.com/onlinenotebookmanager.asp?ItemID=[SQLi]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# 0day n0 m0re #
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##########################################################################################################################################################################################Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| dmxready | online_notebook_manager | 1.0 | |
References
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.