==========================================
Found by: WarGame
Group: EOF-PROJECT
Links & mail: http://www.eof-project.net - wargame@eof-project.net
Link to storye CMS: http://www.dol.it
==========================================

It is possible to inject sql code in storye CMS.
This is an asp CMS that allows you to handle dynamic site management and more.
The flaw is present in the script "dettaglio.asp", the parameters id_doc and id_aut are not sanitized, so it might be possible to inject any SQL code.

Example:
http://www.dork.com/path_to_storye/dettaglio.asp?id_doc='[SQL code]
http://www.dork.com/path_to_storye/dettaglio.asp?id_aut='[SQL code]

Dorks in Google:

"powered by storye"