Vulnerabilities in AltConstructor



Hello Bugtraq!

I want to warn you about Cross-Site Scripting and Brute Force vulnerabilities in AltConstructor. It's Ukrainian commercial CMS.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of CMS AltConstructor, before version released
at 16.08.2010, where developers fixed holes after my informing.

----------
Details:
----------

XSS (WASC-08):

http://site/search/index?search=%3Cbody%20onload='alert(document.cookie)'

Brute Force (WASC-11):

http://site/auth/login

------------
Timeline:
------------

2010.08.12 - announced at my site.
2010.08.13 - informed developers.
2010.08.14 - developers confirmed holes and begun working on fixes.
2010.08.16 - developers released a fixes. All users of old versions of CMS
need to contact developers for updates.
2010.10.08 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4457/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



Relevant Pages

  • [Full-disclosure] Vulnerabilities in AltConstructor
    ... It's Ukrainian commercial CMS. ... Vulnerable are all versions of CMS AltConstructor, ... where developers fixed holes after my informing. ... I mentioned about these vulnerabilities at my site ...
    (Full-Disclosure)
  • [Bkis-02-2010] Multiple Vulnerabilities in CMS Made Simple - Bkis
    ... CMS Made Simple is a free content management system written in PHP, ... In March, 2010, Bkis Security discovered some XSS and CSRF vulnerabilities in CMS Made Simple 1.7.1. ... Taking advantage of these vulnerabilities, hacker is able to insert pieces of code into the path's link to execute in user's browser, causing the loss of cookies and session. ...
    (Bugtraq)
  • [Full-disclosure] Multiple vulnerabilities in Colormix theme for WordPress
    ... Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes. ... Besides their themes I've found in December similar vulnerabilities in multiple themes of other developers. ... Content Spoofing and Full path disclosure vulnerabilities. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Vulnerabilities in JW Player and millions of web sites
    ... The developers fixed all what they want to fix (I've clearly wrote about ... mentioned holes (their estimation of risks for these vulnerabilities agreed ... Leaving all users of 5.x versions of the player vulnerable, ... Swf-file of JW Player accepts arbitrary addresses in parameter config, ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django an
    ... There are two XSS holes, as I've wrote in my first advisory about XSS ... vulnerabilities in ZeroClipboard. ... web sites with any of two swf-files. ... The first I've informed developers about these issues. ...
    (Full-Disclosure)