Vulnerabilities in CMS MYsite
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 25 Sep 2010 16:28:57 +0300
I want to warn you about Full path disclosure, Cross-Site Scripting and SQL
Injection vulnerabilities in CMS MYsite. It's Ukrainian commercial CMS.
Full path disclosure (WASC-13):
SQL Injection (WASC-19):
All versions of CMS MYsite before last one where vulnerabilities were fixed
2010.06.29 - announced at my site and later informed developers of CMS.
Developers quickly answered that they'd look at them.
2010.09.25 - disclosed at my site. Developers didn't inform me when they
fixed the holes, but today I found that they already fixed holes (at least
at their own site). But I note, that even XSS is fixed, but not efficiently,
so at turned off mq at the site it's possible to conduct XSS attack,
particularly with using of MouseOverJacking.
I mentioned about these vulnerabilities at my site
Best wishes & regards,
Administrator of Websecurity web site