lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Aug 2010 23:41:50 +0300
From: "MustLive" <>
To: <>
Subject: Multiple vulnerabilities in eSitesBuilder

Hello Bugtraq!

I want to warn you about multiple vulnerabilities in eSitesBuilder. After
previous vulnerabilities in eSitesBuilder (SecurityVulns ID:10940), which I
wrote earlier in June, there are Insufficient Anti-automation, Cross-Site
Scripting, SQL Injection and Full path disclosure vulnerabilities in
eSitesBuilder. It's Ukrainian commercial CMS (which is used particularly for
online shops). Both previous and these vulnerabilities were ignored and not
fixed by developers.

Insufficient Anti-automation:


In the form there is no protection against automated requests (captcha).


It's single-user persistent XSS (when user is logged in at the site).

POST request to profile page http://site/account.php. Code will work at
profile page (fields Name, Email, Phone, Address 1, Address 2, City, Region)
and at all external pages of the site (field Name).

XSS (persistent):

Via field Name in profile it's possible to conduct attack at the pages:





SQL Injection:


Full path disclosure:


Affected products: possibly all versions of eSitesBuilder.

I mentioned about these vulnerabilities at my site

Best wishes & regards,
Administrator of Websecurity web site 

Powered by blists - more mailing lists