Lidosys CMS SQL Injection / Information Disclosure

`Hello list!  
  
I'm presenting you the vulnerabilities in LIOOSYS CMS - Polish commercial  
CMS.  
  
These are SQL Injection and Information Leakage vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of the system, except the last one, which was  
released by developers after my informing. Where they've fixed these  
vulnerabilities in their CMS. But there are a lot of other vulnerabilities  
in this CMS.  
  
----------  
Details:  
----------  
  
SQL Injection (WASC-19):  
  
http://site/index.php?id=-1%20union%20select%201,version(),3,4,5/*  
  
Information Leakage (WASC-13):  
  
http://site/_files_/db.log  
  
Leakage of a log of DB requests errors. It can be used for getting   
information about DB structure and at conducting of SQL Injection attacks   
(because error messages aren't shown at pages of a site).  
  
------------  
Timeline:  
------------  
  
2012.06.09 - announced at my site.  
2012.06.10 - informed the developers.  
2012.06.18 - the developers answered, that they fixed the holes in CMS and  
would begun updating web sites on it.  
2012.06.18 - informed the developers that there are many other  
vulnerabilities in CMS and asked about affected version. But they didn't  
answer.  
2012.06.28 - disclosed at my site (http://websecurity.com.ua/5885/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`