lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <484EE509.5010707@gmail.com>
Date: Tue, 10 Jun 2008 14:33:13 -0600
From: Psymera <psymera@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, 
	vulnwatch@...nwatch.org, vuln@...uritynation.com
Subject: Many bugs on CMS system Piugame

Many bugs on CMS system Piugame
http://www.piugame.com

Researcher: Psymera

1.-Overview

Piugame CMS is one system used for control and contac of Pump It up 
Gamers over the world and
Metod of control for official tournamets over the wold

2.-Description

This system has a vulnerabily as Sql Injection, Bypass credentials, XSS 
and many others bugs
The system its too poor programed and not have a good method of control 
on the variables has be sendend

Examples:
    Script: club.piugame.com/list.html
        SQL Injection:
            Variable "stt" vulnerable

        XSS:
            Variables:
                “order”
                “stt”
                “tb”
                “ss2”
                “SC”
                “ss1”
                “sst1”
                “tbname”
                “page”
                “category”
                “key”
                “keyword”
                “divpage”
        
    Global Script: /home1/piuclub/public_html/_club/tempst_bbs/lib.php
        SQL Injection:
            variable: "community_no"

And of this form many others scripts has vulnerable for many other types 
of attacks

4.- Disclosure Timeout
Vendor Contacted:
    15-Marzo-2008 Vendor never response.
    11-Abril-2008 Vendor never response.
    24-Mayo-2008 Vendor never response.

Public Advisory: 10-Junio-2008

5.- Copyright
Researcher: Psymera
http://www.securitynation.com - Security Nation is a Lab Supported by
RISS Security Services.
http://www.riss.com.mx
Copyright SecurityNation.
Contact: psymera@...il.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists