Vulners
Lucene search
MC Content Manager Cross Site Scripting / SQL Injection
`Hello Bugtraq!
I want to warn you about Cross-Site Scripting and SQL Injection
vulnerabilities in MC Content Manager. Which I found in this CMS in 2007 and
2009 at the site of SZRU (Foreign Intelligence Service of Ukraine) - it's
Ukrainian special service similar to CIA and MI6 (SIS).
>From 8 vulnerabilities in CMS which I found at 08.01.2007, 23.09.2007,
30.09.2007 and 10.04.2009 (5 XSS and 3 SQLi), only 4 holes were disclosed by
me (other 4 were privately reported in September 2007 and will not be
disclosed).
XSS:
http://site/article.php?root=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/static.php?page=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/cms/%3Cbody%20onload=alert(document.cookie)%3E/
SQL Injection:
http://site/cms/ua%20where%201=1--%20/
Vulnerable are earlier versions of MC Content Manager from mc design. Last
version MC Content Manager v.10.1.1 already isn't affected.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4404/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jul 2010 00:00Current
0.8Low risk
Vulners AI Score0.8