Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Multiple vulnerabilities in Megapolis.Portal Manager
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 7 Oct 2012 20:51:34 +0300

Hello list!

I want to warn you about multiple Cross-Site Scripting vulnerabilities in 
Megapolis.Portal Manager.

It's commercial CMS from Softline-IT (earlier Softline), which in 
particularly widespread among Ukrainian government sites (including 
ministry, parliament, two special services and many other web sites). In 
previous years I already wrote about multiple vulnerabilities in 
Megapolis.Portal Manager. These particular vulnerabilities were found at web 
sites of ministry and parliament.

Affected products:

Vulnerable are all versions of Megapolis.Portal Manager.

Developer of Megapolis.Portal Manager declined to fix these vulnerabilities.


XSS (WASC-08):










2012.07 - found multiple vulnerabilities at multiple government sites, 
including web sites of ministry and parliament. In addition to all those 
holes during 2006-2012.
2012.07 - informed admins of these sites.
2012.07.13 - announced at my site about holes in Megapolis.Portal Manager.
2010.07.16 - informed developers.
2010.07.16 - developers answered, that they don't care about these holes 
(and so about all web sites on their CMS) and will not fix them.
2010.07.19 - I've disagreed with developers' position and suggest to not 
decline the support of the government sites for which they were paid.
2012.10.06 - disclosed at my site (http://websecurity.com.ua/5949/).

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Multiple vulnerabilities in Megapolis.Portal Manager MustLive (Oct 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]