[<prev] [next>] [day] [month] [year] [list]
Message-ID: <484EE509.5010707@gmail.com>
Date: Tue, 10 Jun 2008 14:33:13 -0600
From: Psymera <psymera@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
vulnwatch@...nwatch.org, vuln@...uritynation.com
Subject: Many bugs on CMS system Piugame
Many bugs on CMS system Piugame
http://www.piugame.com
Researcher: Psymera
1.-Overview
Piugame CMS is one system used for control and contac of Pump It up
Gamers over the world and
Metod of control for official tournamets over the wold
2.-Description
This system has a vulnerabily as Sql Injection, Bypass credentials, XSS
and many others bugs
The system its too poor programed and not have a good method of control
on the variables has be sendend
Examples:
Script: club.piugame.com/list.html
SQL Injection:
Variable "stt" vulnerable
XSS:
Variables:
“order”
“stt”
“tb”
“ss2”
“SC”
“ss1”
“sst1”
“tbname”
“page”
“category”
“key”
“keyword”
“divpage”
Global Script: /home1/piuclub/public_html/_club/tempst_bbs/lib.php
SQL Injection:
variable: "community_no"
And of this form many others scripts has vulnerable for many other types
of attacks
4.- Disclosure Timeout
Vendor Contacted:
15-Marzo-2008 Vendor never response.
11-Abril-2008 Vendor never response.
24-Mayo-2008 Vendor never response.
Public Advisory: 10-Junio-2008
5.- Copyright
Researcher: Psymera
http://www.securitynation.com - Security Nation is a Lab Supported by
RISS Security Services.
http://www.riss.com.mx
Copyright SecurityNation.
Contact: psymera@...il.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists