← Advisories

iScripts EasyCreate 3.0 Multiple Vulnerabilities

High
Advisory ID
ZSL-2016-5298
Release Date
28 January 2016
Vendor
iScripts.com - http://www.iscripts.com
Affected Version
3.0
CVE
N/A
Tested On
Apache, MySQL 5.5.40
Summary

iScripts EasyCreate is a private label online website builder. This software allows you to start an online business by offering website building services to your customers. Equipped with drag and drop design functionality, crisp templates and social sharing capabilities, this online website builder software will allow you to provide the best website building features to your users.

Description

iScripts EasyCreate suffers from multiple vulnerabilities including SQL Injection, XSS and CSRF.

Proof of Concept
iscripts_mv.txtTXT
Disclosure Timeline
17.11.2015First contact to vendor.
08.12.2015Follow up with vendor. No response received.
08.12.2015Ticket Created using online portal (id #010248399110346).
08.12.2015Ticket closed by vendor without requesting vulnerability details.
28.12.2015Vendor responds asking more details.
29.12.2015Sent details to the vendor.
05.01.2016Follow up with vendor. No response received.
14.01.2016Follow up with vendor. No response received.
28.01.2016Public Security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://packetstormsecurity.com/files/135512
[2]https://cxsecurity.com/issue/WLB-2016010231
[3]https://www.exploit-db.com/exploits/39386/
Changelog
28.01.2016Initial release
31.01.2016Added reference [1] and [2]
01.02.2016Added reference [3]