CMS SiteLogic Cross Site Scripting / Shell Upload

🗓️ 19 Apr 2010 00:00:00Reported by MustLiveType

packetstorm🔗 packetstormsecurity.com👁 18 Views

CMS SiteLogic Ukrainian commercial CMS, multiple vulnerabilities including XSS and Shell Upload

`Hello Full-Disclosure!  
  
I want to warn you about new security vulnerabilities in CMS SiteLogic. It's  
Ukrainian commercial CMS. In addition to previously reported  
vulnerabilities, I will report about vulnerabilities in this CMS, which I  
disclosed in 2009 (it's second advisory with vulnerabilities which I  
disclosed last year).  
  
-----------------------------  
Advisory: New vulnerabilities in CMS SiteLogic  
-----------------------------  
URL: http://websecurity.com.ua/3580/  
-----------------------------  
Affected products: all versions of CMS SiteLogic.  
-----------------------------  
Timeline:  
  
16.01.2009 - found XSS vulnerability.  
06.04.2009 - found Command Execution vulnerability.  
28.06.2009 - when I was informing developers about previous holes (which I  
wrote about in previous advisory), I mentioned them that there are many  
other holes in their CMS (but they ignored as previous holes, as new ones).  
10.10.2009 - disclosed at my site.  
11.10.2009 - additionally informed developers.  
-----------------------------  
Details:  
  
These are Cross-Site Scripting and Command Execution vulnerabilities.  
  
XSS:  
  
http://site/?mid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
Command Execution:  
  
It's possible to upload arbitrary files (shell upload) via module Banner  
system in admin panel.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

19 Apr 2010 00:00Current

0.7Low risk

Vulners AI Score0.7