Hello list! I want to warn you about Insufficient Anti-automation and Cross-Site Scripting vulnerabilities in CMS WebManager-Pro.
It's Ukrainian commercial CMS. Earlier I already told about interesting RCE vulnerability in this CMS, which I mentioned about last month in article Placing shells (backdoors) at web sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007508.html). ------------------------- Affected products: ------------------------- Vulnerable are CMS WebManager-Pro v.7.4.3 (version from FGS_Studio) and previous versions. ---------- Details: ---------- Insufficient Anti-automation (WASC-21): At contact page (http://site/index.php?menu_id=x) there is no protection against automated requests (captcha). XSS (WASC-08): POST request at contact page (http://site/index.php?menu_id=x) <script>alert(document.cookie)</script> In fields: Name, E-mail, Phone, Subject, Text. ------------ Timeline: ------------ 2011.01.11 - announced at my site. 2011.01.12 - informed developers. 2011.03.11 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4831/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/