| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Mar 2010 18:59:36 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <bugtraq@...urityfocus.com> Subject: New vulnerabilities in Abton Hello Bugtraq! I want to warn you about new vulnerabilities in Abton. It's commercial Ukrainian CMS. ----------------------------- Advisory: New vulnerabilities in Abton ----------------------------- URL: http://websecurity.com.ua/3618/ ----------------------------- Timeline: 17.02.2009 - found the vulnerabilities. 23.10.2009 - announced at my site. 17.02.2009 - informed developers. Because these vulnerabilities were mentioned in comments at my site during discussion of previous holes in Abton, then developers should read about them already at 17.02.2009 and should fixed them along with previous ones, but they didn't do it, so after the official announcement of these holes, I additionally informed them. 19.02.2010 - disclosed at my site. ----------------------------- Details: These are SQL Injection and Directory Traversal vulnerabilities. SQL Injection: http://site/files.php?refdll=-1+union+select+version()%23 A visitor of my site informed me about this SQL Injection during discussion of previous holes in Abton. And after that I found possibility of using this vulnerability for conducting of Directory Traversal attacks. Directory Traversal (via SQL Injection): http://site/files.php?refdll=-1+union+select+’../file.php’%23 Vulnerable are all versions of Abton before the version where developers fixed these holes. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Powered by blists - more mailing lists