HackDig : Dig high-quality web security articles for hacker

Gecko CMS 2.3 Multiple Vulnerabilities

2015-01-12 21:55
Title: Gecko CMS 2.3 Multiple Vulnerabilities
Advisory ID: ZSL-2015-5222
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 12.01.2015
Summary
Gecko CMS is the way to go, forget complicated, bloatedand slow content management systems, Gecko CMS has been build tobe intuitive, easy to use, extendable to almost anything, runningon all standard web hosting (PHP and one MySQL database, Apache isa plus), browser compatibility and fast, super fast!
Description
Gecko CMS suffers from multiple vulnerabilities includingCross-Site Request Forgery, Stored and Reflected Cross-Site Scriptingand SQL Injection.
Vendor
JAKWEB - http://www.cmsgecko.com
Affected Version
2.3 and 2.2
Tested On
Apache/2
PHP/5.4.36
Vendor Status
[27.12.2014] Vulnerabilities discovered.
[05.01.2015] Vendor contacted.
[06.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor confirms issues but is not going to develop a fix because the issues are present in the admin panel (authd).
[12.01.2015] Public security advisory released.
PoC
geckocms_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[12.01.2015] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk


Source: php.2225-5102-LSZ/seitilibarenluv/ne/km.ecneicsorez.www

Read:2961 | Comments:0 | Tags:No Tag

“Gecko CMS 2.3 Multiple Vulnerabilities”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud