Construtiva CIS Manager CMS POST SQLi

2014-06-14T00:00:00
ID SECURITYVULNS:DOC:30868
Type securityvulns
Reporter Securityvulns
Modified 2014-06-14T00:00:00

Description

TL;DR;

. PRODUCT : Construtiva CIS Manager
. TYPE    : SQLi http://site/autenticar/lembrarlogin.asp (POST email)
. CVE     : CVE-2014-3749

Software Description

. The CIS Manager platform is a complete and powerful tool to manage

sites and corporative portals on the Internet. The platform components bring autonomy to your company to manage the content (structure, texts, images, downloadable files, articles, news...) without the need of a developer.

 (...)

Release date

2014-05-16

Details

. SQL injection using POST parameters:

     URL: http://site/autenticar/lembrarlogin.asp
     TYPE: error-based
     PARAM: email
     PAYLOAD: email=xxx' AND (...)

Disclosure Timeline

2014-04-16: Vendor notification. 2014-04-26: No response. Vendor notification again. 2014-05-10: No response. Vendor notification again. 2014-05-16: Public disclosure.

Contact

Thiago C. edge () bitmessage.ch