Vulnerabilities in CMS MYsite

Hello Bugtraq!

I want to warn you about Full path disclosure, Cross-Site Scripting and SQL
Injection vulnerabilities in CMS MYsite. It's Ukrainian commercial CMS.

Full path disclosure (WASC-13):


XSS (WASC-08):


SQL Injection (WASC-19):


Affected products:

All versions of CMS MYsite before last one where vulnerabilities were fixed


2010.06.29 - announced at my site and later informed developers of CMS.
Developers quickly answered that they'd look at them.
2010.09.25 - disclosed at my site. Developers didn't inform me when they
fixed the holes, but today I found that they already fixed holes (at least
at their own site). But I note, that even XSS is fixed, but not efficiently,
so at turned off mq at the site it's possible to conduct XSS attack,
particularly with using of MouseOverJacking.

I mentioned about these vulnerabilities at my site

Best wishes & regards,
Administrator of Websecurity web site

Relevant Pages