Hello Bugtraq! I want to warn you about Arbitrary File Uploading and Code Execution vulnerabilities in CMS WebManager-Pro. It's Ukrainian commercial CMS. SecurityVulns ID: 11176. ------------------------- Affected products: ------------------------- Vulnerable are both systems CMS WebManager-Pro from two developers. Vulnerable are versions CMS WebManager-Pro v.7.0 (version from WebManager) and previous versions, and also CMS WebManager-Pro v.7.4.3 (version from FGS_Studio) and previous versions. ---------- Details: ---------- Arbitrary File Uploading (WASC-42): In admin panel in section "files" (http://site/admin/files.php) uploading of arbitrary files is possible. Code Execution (WASC-31): In admin panel in section "files" (http://site/admin/files.php) uploading of php-scripts is possible. This concerns of all versions CMS WebManager-Pro from FGS_Studio, and also versions WebManager-Pro from WebManager up to 7.0 inclusive. But the sites occur with this CMS version 7.0 and higher, where there is a protection (on site level) from execution of php-scripts, in such case only Arbitrary File Uploading is possible. ------------ Timeline: ------------ 2010.07.10 - announced at my site. 2010.07.11 - informed developers. 2010.10.02 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4362/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
