| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Sep 2014 00:55:43 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] Vulnerabilities in In-Portal CMS Hello list! These are Cross-Site Scripting and Brute Force vulnerabilities in In-Portal CMS. ------------------------- Affected products: ------------------------- Vulnerable are In-Portal CMS 5.2.0 and previous versions. In version In-Portal CMS 5.2.1 at 31.08.2014 developers fixed XSS vulnerability after my warning. But didn't fix BF, only gave recommendations about protection against these attacks (it's their solution). They recommend for users of the system to limit access to admin panel by IP. ------------------------- Affected vendors: ------------------------- In-Portal http://in-portal.com ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/admin/index.php?env=-login:m0--1--s-&next_template=%22%3E%3Cbody%20onload=alert(document.cookie)%3E Brute Force (WASC-11): http://site/admin/index.php I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7276/). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists