lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Oct 2010 20:48:27 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <bugtraq@...urityfocus.com> Subject: Vulnerabilities in CMS WebManager-Pro Hello Bugtraq! I want to warn you about Arbitrary File Uploading and Code Execution vulnerabilities in CMS WebManager-Pro. It's Ukrainian commercial CMS. SecurityVulns ID: 11176. ------------------------- Affected products: ------------------------- Vulnerable are both systems CMS WebManager-Pro from two developers. Vulnerable are versions CMS WebManager-Pro v.7.0 (version from WebManager) and previous versions, and also CMS WebManager-Pro v.7.4.3 (version from FGS_Studio) and previous versions. ---------- Details: ---------- Arbitrary File Uploading (WASC-42): In admin panel in section "files" (http://site/admin/files.php) uploading of arbitrary files is possible. Code Execution (WASC-31): In admin panel in section "files" (http://site/admin/files.php) uploading of php-scripts is possible. This concerns of all versions CMS WebManager-Pro from FGS_Studio, and also versions WebManager-Pro from WebManager up to 7.0 inclusive. But the sites occur with this CMS version 7.0 and higher, where there is a protection (on site level) from execution of php-scripts, in such case only Arbitrary File Uploading is possible. ------------ Timeline: ------------ 2010.07.10 - announced at my site. 2010.07.11 - informed developers. 2010.10.02 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4362/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Powered by blists - more mailing lists