information, Execution of arbitrary code via network, Modification of user and admin information, User access via network.
Quickly secure pages or portions of your web site from unregistered visitors. Easy to integrate security into existing sites! Login to admin to send 'Expiry Notices', upload & download user data, capture member activity, browser & os info, add optional fields, send subscriber newsletters, group & relate people, verify email addresses…
Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks.
A problem of sanitation in resend.asp, news_view.asp, could lead an attacker to inject SQL code to manipulate and disclose information from the database. The same problem is present in administration site in more scripts.
Examples: http://[host]/resend.asp?ID=[SQL query] http://[host]/news_view.asp?ID=[SQL query]
Another problem of sanitation permits an attacker inject a XSS in the register form (register.asp), this will be executed at the administration site permitting the attacker to modify or delete data. Also is possible a XSS attack in error.asp.
Example: http://[host]/error.asp?err=">[XSS] Example to delete a user: In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID to delete]>
Vendor contacted, the vulnerabilities will be addressed very soon. Thanks to Vladimir S. Pekulas. http://www.expinion.net/software/app_mms.asp
Manuel López. firstname.lastname@example.org