Construtiva CIS Manager SQL Injection

2014-05-18T00:00:00
ID PACKETSTORM:126659
Type packetstorm
Reporter Thiago C.
Modified 2014-05-18T00:00:00

Description

                                        
                                            `Construtiva CIS Manager CMS POST SQLi  
  
TL;DR;  
======  
  
. PRODUCT : Construtiva CIS Manager  
. TYPE : SQLi http://site/autenticar/lembrarlogin.asp (POST email)  
. CVE : CVE-2014-3749  
  
  
Software Description  
====================  
  
. The CIS Manager platform is a complete and powerful tool to manage  
sites and corporative portals on the Internet. The platform components  
bring autonomy to your company to manage the content (structure,  
texts, images, downloadable files, articles, news...) without the need  
of a developer.  
  
(...)  
  
  
Release date  
============  
  
2014-05-16  
  
  
Details  
=======  
  
. SQL injection using POST parameters:  
  
URL: http://site/autenticar/lembrarlogin.asp  
TYPE: error-based  
PARAM: email  
PAYLOAD: email=xxx' AND (...)  
  
  
Disclosure Timeline  
===================  
  
2014-04-16: Vendor notification.  
2014-04-26: No response. Vendor notification again.  
2014-05-10: No response. Vendor notification again.  
2014-05-16: Public disclosure.  
  
  
Contact  
=======  
  
Thiago C.  
edge () bitmessage.ch  
  
  
  
  
  
`