Next Page >>
content management system
363
Introduction:
=============
Contentpapst ist ein leistungsstarkes und sehr flexibles Content-Management-System (CMS) speziell fr kleine und
mittelstndische Unternehmen, Behrden und Organisationen. Mit dem CMS Contentpapst verwalten Sie Ihre Firmen-Homepage,
Ihre Vereins-Webseite etc. zuknftig komplett per Browser, ohne zustzliche Software!
(Copy of the Vendor Homepage: http://www.sandoba.de/produkte/cms-contentpapst/)
'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332)
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Pointter PHP Content Management System' authentication system which allows for administrative privileges by crafting two specific cookies with arbitrary values.
II. TESTED VERSION
Additional information (in Ukranian): http://websecurity.com.ua/1347/
Original message (in Russian): http://securityvulns.ru/Sdocument3.html
8. durito [NGH Group] reports
8.1 multiple SQL injections in Stride v1.0 Content Management System,
Merchant, Courses. Examples:
Content Management System
http://www.example.com/main.php?p=[SQL]
<input type="hidden" name="security_password" value="test" />
<input type="hidden" name="security_type" value="page" />
<input type="hidden" name="site_title" value='CMSimple site"><script>alert(document.cookie)</script>' />
<input type="hidden" name="site_template" value="default" />
<input type="hidden" name="language_default" value="ru" />
<input type="hidden" name="meta_keywords" value="CMSimple, Content Management System, php" />
<input type="hidden" name="meta_description" value="CMSimple is a content management system" />
<input type="hidden" name="backup_numberoffiles" value="5" />
<input type="hidden" name="images_maxsize" value="150000" />
<input type="hidden" name="downloads_maxsize" value="1000000" />
<input type="hidden" name="mailform_email=" value="" />
<input type="hidden" name="security_password" value="newpassword" />
<input type="hidden" name="security_type" value="page" />
<input type="hidden" name="site_title" value='CMSimple site' />
<input type="hidden" name="site_template" value="default" />
<input type="hidden" name="language_default" value="ru" />
<input type="hidden" name="meta_keywords" value="CMSimple, Content Management System, php" />
<input type="hidden" name="meta_description" value="CMSimple is a content management system" />
<input type="hidden" name="backup_numberoffiles" value="5" />
<input type="hidden" name="images_maxsize" value="150000" />
<input type="hidden" name="downloads_maxsize" value="1000000" />
<input type="hidden" name="mailform_email=" value="" />
Application : ProfileCMS
version : <= 1.0
Vendor : http://profilecms.com/
Description :
ProfileCMS is a powerful Content Management System for Social Networking profile codes and widgets. There are no other scripts that offer the freedom, features and practicality of ProfileCMS, we have constructed a easy to use, accessable platform for both webmasters and front end users. Based on the popular MSCMS system which has been the Number 1 Myspace Content Management System for almost 1 year now, ProfileCMS allows webmasters to take advantage of the ever growing popularity of social netowrking sites and offer users codes and widgets from ANY social network.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
###################################################################################
####################
1. Description:
####################
QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day).
####################
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Application: TikiWiki
Version: <= 1.9.8.1
Vendor: http://tikiwiki.org
Description:
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.
--------------
Vulnerability:
--------------
####################
- Description:
####################
SASPCMS is an ASP Content Management System . SASPCMS witch uses MSSQL
& Microsoft Access as backend database.
####################
- Vulnerability:
####################
Joomla HBS (Joomla Hotel Booking System) was designed to simplify the task of online booking in Joomla Content Management Website.
It provides users a unique, intuitive and easy to use interface that improves the way people use the web today.
Joomla Hotel Booking System (Joomla HBS) enhances the entire Hotel Booking web experience in Joomla!.
Its Flexible, Simple, Elegant, Customizable and Powerful. Joomla HBS Easy to install, simple to manage and reliable.
Joomla Hotel Booking / Reservation System to be used together with a Content Management System (CMS) called Joomla!.
Joomla and Joomla HBS are written in PHP and made for easy use in a PHP / MySQL environment.
--------------------------------------------------------------------------
Vulnerability:
####################
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
Introduction:
=============
appRain is one of the first officially released Opensource Content Management Framework (CMF).
CMF is a new web engineering concept where CMS (Content Management System) and Framework
perform together to produce endless varieties of output in a very limited time.
appRain, published with lots of extensive features to reduce our development work time.
It satisfies both Client and Developers with a safe and quality output.
2. BACKGROUND
XOOPS is an acronym of eXtensible Object Oriented Portal System. It's
the #1 Content Management System (CMS) project on www.sourceforge.net
and a recipient of several awards, and constantly places as finalist
in various CMS and Open Source competitions. It incorporates many
modules such as forums, photo galleries, calendars, article management
etc.
####################
1. Description:
####################
Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.
####################
2. Vulnerability:
####################
2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.
390
Introduction:
=============
It is a website Content Management System that is build with Codecharge Studio. There will also be a
commercial package, which contains all source code AND the Codecharge Studio project files.
More information on Codecharge Studio can be found on the website of Yessoftware.
Currently the CMS includes the following modules:
####################
- Description:
####################
chillyCMS is a Content Management System. Its main features are:
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click
backup with integrated installer,
============
http://www.i-s-o.org/security.txt
Introduction
============
eXV2.de CMS is a Content Management System.
More Details
============
1. Cross Site Scripting:
Input passed directly to the "set_lang" parameter in the Browser Cookie is not properly sanitised before being returned to the user.
Introduction
============
Joomla CMS is a popular Content Management System.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
-->WEB: http://www.webspell.org/ (affected too)
-->DOWNLOAD: http://www.webspell.org/download.php?fileID=22
-->DEMO: http://www.webspell.org/index.php?site=demo
-->CATEGORY: CMS / Portals
-->DESCRIPTION: webSPELL is a free Content Management System (CMS) for clans and
gaming communities, providing all needed features like forums, gallery, clanwar...
-------------------
CMS VULNERABILITY:
-------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code
# and comes with cool modules and themes
# for you to start your own dynamic and database
# driven website. Bla bla Bla [...]
Remote: YES
Local: N/A
Vendor: eGov Strategies LLC
Product: Content Management System
http://www.egovstrategies.com/
-------------------------
Tikiwiki CMS is vulnerable to path traversal attack
II. BACKGROUND
-------------------------
Tikiwiki (Tiki) is a Free Software (LGPL) Content Management System
solution that unifies many features like wikis, forums, blogs,
articles, galleries, mapserver, link directory.
This software is massively used in the World Wide Web, and has been
audited by the security community for years.
Fix available: Yes
=======================================
PRODUCT
-------------
DotNetNuke is an open source Content Management System (CMS) based on Microsoft ASP.NET. DotNetNuke powers over 600,000 production web sites worldwide. More information can be found at:
http://www.dotnetnuke.com/Intro/AtAGlance/tabid/1579/Default.aspx
VULNERABILITY
-------------
An anonymous attacker can upload ASPX files, access these files and is then able to execute arbitrary commands on the web server. This leads to full compromise of the DotNetNuke environment and possibly compromise of other web applications and/or information on the web server.
Overview:
Quote from http://www.tikiwiki.org
"TikiWiki (Tiki) is your Groupware/CMS (Content Management System)
solution. Tiki has the features you need:
* Wikis (like Mediawiki)
* Forums (like phpBB)
* Blogs (like WordPress)
* Articles (like Digg)
05 December 2007 -- Fix Released
10 December 2007 -- Pulic Disclosure
What is Falt4Extreme
------------------------
Falt4 CMS is a business approved Content Management System (CMS) under the LGPL. The CMS is feature-rich and has a clean administration area. The ultimate CMS with functions for the professional, usable by everyone.CMS modules are available.
Overview of Vulnerabilities
------------------------
The script is vulnerable to both of XSS and Blind SQL Injection attacks.
Where: From remote
======================================================================
3) Vendor's Description of Software
"TomatoCMS is an impressive, powerful Content Management System. It's
free and open source licensed under GNU GPL."
Product Link:
http://tomatocms.com/
[x] Vendor Information
"If the written word is the wheel, then Writer’s Block is the sweet, sweet fossil fuel in the
engine that keeps it spinning. A free, flexible, elegant Content Management System that helps
you maintain any web site you want, at any size you want, with no hassle and no restrictions.
In fact, it’s running this entire site right now."
http://www.desiquintans.com
LightNEasy - HTML Injection Vulnerability
Version Affected: 2.2.2 (15th January 2009) (newest)
Info: LightNEasy, a simple and light Content Management System and Website Builder
Credits: InterN0T
External Links:
http://lightneasy.org/
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.dblog.it/sito/default.asp
DBlog CMS is a open source Content Management System for IIS/ASP platform.
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,
over 100.000 of them regarding the lastest version.
GoogleDork: inurl:"articolo.asp" "powered by dblog"
Hello Bugtraq!
I want to warn you about security vulnerabilities in system CCMS - Clan
Content Management System.
In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php. If
you read Bugtraq you can saw the letter, from which it's clearly seen, that
web developers ignore advisory about holes in CaptchaSecurityImages.php
itself, and only draw attention on advisories about their specific web
Next Page>>
|
