Re: SQL Injection vulnerability in CMS WebManager-Pro

["MustLive" <mustlive () websecurity com ua>]

Hello Henri!

Last week (at previous Saturday) I wrote you two letters regarding our
previous conversations and I've received messages about problems with your
mail server. It looks like you still have those problems (because I didn't
receive answer from you). In case if you didn't receive those two letters,
then contact me from another working e-mail and I'll resend them to you. I
hope at least you'll can read this letter in the mailing list.

Concerning you last letter.

> Did you ask for CVE-identifier for this issue?

I already told you about my position concerning CVE-identifiers in our
previous conversation and in one of the last (above-mentioned) letters. You
can use SecurityVulns ID instead of CVE-identifier, while CVE guys will be
giving CVE id to vulnerability which I described in my advisory. For this
hole it's SecurityVulns ID:11066.

> Did you report this to the developers?

Yes, of course. And they ignored and didn't fix this hole, as I mentioned in
post at my site (as the developers ignored all other holes in their engine
which I've informed them). In advisory I wrote only the most important
information concerning this vulnerability.

I always inform developers about vulnerabilities in their webapps. Except
not serious developers and in such cases I officially write about that (that
they will not be informed and so they need to read my published advisories
in security mailing lists), like in case of vulnerabilities in WordPress
(http://www.securityfocus.com/archive/1/510274) which I disclosed this year.

I did much more then just informed the developers (at the end of 2009, in
April 2010 and especially in summer 2010). After finding this hole and after
that a lot of other holes at different sites on this engine, I also found
that there are two versions of this engines - it's two different engines of
commercial CMS made by different design studios (which have the same roots,
as I found during my researches, it looks like it was one engine of one
studio and then they divided it on two different engines). Both engine has
the same name "CMS WebManager-Pro", but because they have many different
holes (only some holes are the same in both engines) and different versions
numeration, so I used different names for them: CMS WebManager-Pro
(original) and CMS WebManager-Pro (version from FGS_Studio). As I mentioned
in my advisory. So the users of these engines and everyone who interested
will be able to identify which versions of which from two CMS WebManager-Pro
are vulnerable.

Also I informed both developers about first hole (even only one of two
engines was vulnerable, to let both developers know that their engines were
very vulnerable and I'd be informing them about other holes), and informed
many times both developers about a lot of other holes in their engines. And
there will be new advisories about other holes in these engines. Also I
informed admins of many tens of sites on both of these engines (including
three government sites) which have many holes (in these engines). Also I
unhacked one site on this engine which was occupied by black SEO guys (who
for 7 months were gaining cash from illegal advertising on this site) - I
kicked them out from the site. So I spent a lot of time on these two "CMS
WebManager-Pro" engines.

> You should include more information to your reports.
> For example, which version isn't affected if any.

I wrote exactly what is most important for report about this vulnerability.
Because all versions of this engine are vulnerable and there are no
non-affected versions, so I didn't write about them. But because only one of
two "CMS WebManager-Pro" engines is vulnerable, I wrote about this aspect in
the advisory. I write about non-affected versions only if the are such ones.

> If I am correct this is english-speaking mailing-list so we are not
> interested about your www-page when the articles are in a language that
> most of us can't read. The page does not seem to include the
> information I am looking for.

Yes, it's english-speaking mailing-list and so I write all information on 
English to it. In my advisories I always write all important information (so 
I can skip such additional information as "developer ignored to fix the 
hole"), so nobody will not need to look for other information at my site 
(and will go to my site only if the person is really want to do it). The 
link is only for reference, so no need to click on it without need.

As I already told you, I write on Ukrainian at my site, write on Russian to
SecurtyVulns, write on English to Bugtraq and Full-Disclosure about the same
hole/holes in my advisories. And always I write all important information
concerning every particular hole in every particular web application.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Henri Salo" <henri () nerv fi>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Thursday, August 12, 2010 4:38 PM
Subject: Re: [Full-disclosure] SQL Injection vulnerability in CMS
WebManager-Pro


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 11 Aug 2010 21:04:51 +0300
> "MustLive" <mustlive () websecurity com ua> wrote:
>
> > Hello Full-Disclosure!
> >
> > I want to warn you about SQL Injection vulnerability in CMS
> > WebManager-Pro.
> >
> > SQL Injection:
> >
> > http://site/index.php?content_id=-1%20or%20version()=4
> >
> > Affected software:
> >
> > Vulnerable are CMS WebManager-Pro v.7.4.3 (version from FGS_Studio)
> > and previous versions. Original version of CMS WebManager-Pro isn't
> > vulnerable (there are two different versions of this CMS from
> > different developers).
> >
> > I mentioned about this vulnerability at my site
> > (http://websecurity.com.ua/3576/).
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua
>
> Did you ask for CVE-identifier for this issue? Did you report this to
> the developers? You should include more information to your reports.
> For example, which version isn't affected if any.
>
> If I am correct this is english-speaking mailing-list so we are not
> interested about your www-page when the articles are in a language that
> most of us can't read. The page does not seem to include the
> information I am looking for.
>
> Best regards,
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxj+WMACgkQXf6hBi6kbk/R1gCgwQg6xQUsaW51ugti86wk0i+E
> 8PoAnRzKoFhX//W0wVH7VFOq23cGmCjQ
> =TJCL
> -----END PGP SIGNATURE----- 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/