| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cb42ef461c39f65e21a76042fac4b329.squirrel@bitmailendavkbec.onion>
Date: Thu, 15 May 2014 17:17:24 -0700
From: "Edge" <edge@...message.ch>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2014-3749] Construtiva CIS Manager CMS POST SQLi
Construtiva CIS Manager CMS POST SQLi
TL;DR;
======
. PRODUCT : Construtiva CIS Manager
. TYPE : SQLi http://site/autenticar/lembrarlogin.asp (POST email)
. CVE : CVE-2014-3749
Software Description
====================
. The CIS Manager platform is a complete and powerful tool to manage
sites and corporative portals on the Internet. The platform components
bring autonomy to your company to manage the content (structure,
texts, images, downloadable files, articles, news...) without the need
of a developer.
(...)
Release date
============
2014-05-16
Details
=======
. SQL injection using POST parameters:
URL: http://site/autenticar/lembrarlogin.asp
TYPE: error-based
PARAM: email
PAYLOAD: email=xxx' AND (...)
Disclosure Timeline
===================
2014-04-16: Vendor notification.
2014-04-26: No response. Vendor notification again.
2014-05-10: No response. Vendor notification again.
2014-05-16: Public disclosure.
Contact
=======
Thiago C.
edge () bitmessage.ch
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists