MC Content Manager Path Disclosure / SQL Injection

2011-01-24T00:00:00
ID PACKETSTORM:97813
Type packetstorm
Reporter MustLive
Modified 2011-01-24T00:00:00

Description

                                        
                                            `-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are only not the latest versions of MC Content Manager.  
  
----------  
Details:  
----------  
  
Full path disclosure (WASC-13):  
  
http://site/article.php?root=a  
  
SQL Injection (WASC-19):  
  
http://site/article.php?root=-1%20and%20version()=4  
  
------------  
Timeline:  
------------  
  
2010.11.16 - announced at my site.  
2010.11.17 - informed developers.  
2011.01.22 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/4687/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
`