29 matches found
Nodes Studio CMS XSS / Path Disclosure / SQL Injection
Hello list! There are SQL Injection, Cross-Site Scripting and Full Path Disclosure vulnerabilities in Nodes Studio CMS. This is Russian commercial CMS, which I found at one site of Russian terrorists and propagandists. ------------------------- Affected vendors: ------------------------- Nodes...
IL and CSRF vulnerabilities in D-Link DAP-1360
Hello 3APA3A! There are Information Leakage and Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 Wi-Fi Access Point and Router. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other...
CS, XSS and FPD vulnerabilities in MCImageManager for TinyMCE
Hello 3APA3A! I want to warn you about vulnerabilities in Moxiecode Image Manager MCImageManager. This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle. These are Content Spoofing, Cross-Site Scripting and Full Path...
Atlassian Confluence 3.x / 4.x Information Disclosure
Hello list, Since vendor does not seem to care about this issue more than a year after initial report https://jira.atlassian.com/browse/CONF-23985, I think that is time to share this issue. ------------------------- Affected products: ------------------------- Atlassian Confluence 3.x and 4.x...
Joomla Googlemaps XSS / XML Injection / Path Disclosure / DoS
Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting and Full path disclosure vulnerabilities in Googlemaps plugin for Joomla. ------------------------- Affected products: ------------------------- Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and...
CS, XSS and FPD vulnerabilities in WordPress
Hello 3APA3A! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release the same at 3.5.1 release, WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So...
XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress
Hello 3APA3A! These are Cross-Site Scripting and Full path disclosure vulnerabilities in multiple themes for WordPress with ZeroClipboard.swf. Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard http://seclists.org/fulldisclosure/2013/Feb/103. I wrote that this is very...
Multiple vulnerabilities in TinyBrowser
Hello 3APA3A! I want to warn you about multiple vulnerabilities in TinyBrowser for TinyMCE. These are new vulnerabilities in addition to my 2009 and 2011 advisories about Arbitrary File Upload and Code Execution vulnerabilities in TinyBrowser. It concerns as TinyBrowser, as all web applications...
XSS, Redirector and FPD vulnerabilities in WordPress
Hello 3APA3A! In June I've disclosed vulnerabilities in WordPress, which I'd present for you. They take place in plugin Akismet for WordPress and it's core-plugin since version WP 2.0, so these vulnerabilities concern WordPress itself. This is the first in series of advisories concerning...
Уязвимости в LIOOSYS CMS
Здравствуйте 3APA3A! Сообщаю вам о SQL Injection и Information Leakage уязвимостях в LIOOSYS CMS. Это польская коммерческая CMS. SQL Injection WASC-19: http://site/index.php?id=-120union20select201,version,3,4,5/ Information Leakage WASC-13: http://site/files/db.log Утечка лога ошибок запросов к...
Zeema CMS Cross Site Scripting / SQL Injection
Hello list! I want to warn you about Cross-Site Scripting, SQL Injection and Information Leakage vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Zeema CMS. ---------- Details:...
Zeema CMS Cross Site Scripting / Path Disclosure
Hello list! I want to warn you about Brute Force, Cross-Site Scripting and Full path disclosure vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Zeema CMS. ---------- Details:...
Уязвимости в JBoss Application Server
Здравствуйте 3APA3A! Сообщаю вам о найденных мною Information Leakage и Brute Force уязвимостях в JBoss Application Server. Information Leakage WASC-13: http://site/status http://site/status?full=true Публично доступная статистика работы сервера с перечнем всех его сервисов. Brute Force WASC-11:...
MyST BlogSite URL Redirect / Information Leakage
=============================== MyST BlogSite | Multiple Vulnerabilities =============================== 1. VULNERABILITY DESCRIPTION -- Issue Title: Arbitrary URL Redirect Component: MyST BlogSite ClickDirector Ref: OWASP - Top 10 - 2010 - A10 Ref-Link:...
IL и XSS уязвимости во многих темах для WordPress
Здравствуйте 3APA3A! Сообщаю вам о найденных мною Information Leakage и Cross-Site Scripting уязвимостях во многих темах для WordPress. В разных шаблонах имеется test.php - скрипт с phpinfo - что приводит к Information Leakage утечка FPD и другой важной информации о сервере и XSS в PHP 4.4.1,...
Многочисленные уязвимости в MyBB
Здравствуйте 3APA3A! Сообщаю вам о найденных мною Information Leakage, Abuse of Functionality, Insufficient Anti-automation и Brute Force уязвимостях в MyBB. Information Leakage WASC-13: Логины есть именами пользователей на форуме и соответственно на страницах форума можно выявить логины. Abuse o...
Уязвимости в MyBB
Здравствуйте 3APA3A! Сообщаю вам о найденных мною Cross-Site Scripting и SQL DB Structure Extraction уязвимостях в MyBB. Уязвимости имеют место в скриптах search.php и private.php. XSS WASC-08: http://websecurity.com.ua/uploads/2011/MyBB20XSS.html...
XSS, SQL Injection и SQL DB Structure Extraction уязвимости в Cetera eCommerce
Здравствуйте 3APA3A! Сообщаю вам о найденных мною новых Cross-Site Scripting, SQL Injection и SQL DB Structure Extraction уязвимостях в Cetera eCommerce. XSS WASC-08 также работают в версии 15.0: http://site/catalog/3Cscript3Ealertdocument.cookie3C/script3E/...
Firebook 3.100328 Cross Site Scripting / Leakage
Hello list! I want to warn you about Information Leakage, Brute Force and Cross-Site Scripting vulnerabilities in Firebook. ------------------------- Affected products: ------------------------- Vulnerable are Firebook 3.100328 and previous versions. ---------- Details: ---------- Information...
Многочисленные уязвимости в Firebook
Здравствуйте 3APA3A! Сообщаю вам о найденных мною Information Leakage, Brute Force и Cross-Site Scripting уязвимостях в Firebook. Information Leakage WASC-13: http://site/cgi-bin/firebook/firebook.cgi На странице есть раздел SystemInfo с Full path disclosure и именами txt-файлов БД веб приложения...