Unrestricted File Upload @ Web-Based Teaching System Myanmar

Home / Hacking, News, Security / Unrestricted File Upload @ Web-Based Teaching System Myanmar

May 10, 2014 PlanetCreator 0 Comments 0 tags

Critical Unrestricted File Upload vulnerability found @ Web-Based Teaching System (Myanmar) URL : http://www.wbts.com.mm

Malicious Attacker can upload some file to server without permission ! And It has persistent XSS vulnerability.

Cross Site Scripting is a client-side attack where an attacker can craft a malicious link, containing script- code which is then executed within the victim’s browser when the target site vulnerable to and injected with XSS is viewed. The script-code can be any language supported by the browser but mostly HTML and Javascript is used along with embedded Flash, Java or ActiveX.

In some cases where the XSS vulnerability is persistent as described further below, the attacker will not have to craft a link as the injected script is inserted directly into the target site and / or web application. The target user(s) still has to view the affected site / page where the injected code is located though.

The persistent XSS can be triggered just by browsing a Web Application with code injected into it. (This depends on which page has code injected, in case the target is not globally affected on all pages loaded by the user.)

Details

=======

Used Product : ColdFusion 9

Vulnerability Type : Unrestricted File Upload & Persistent XSS

Security Risk : Critical

Effected URL : http://www.wbts.com.mm/dcs/act_reg.cfm

CVE : CVE-2005-0254

CVE URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2005-0254

Informed to :- Webmaster

This is vulnerability is posted at Vulnerabilities Research Page : http://www.planetcreator.net/category/hacking/

We hope that your security staff will look into this issue and fix it as soon as possible.

Explore More

Critical SQL Injection in www.kmd.com KMD Group of Companies

PlanetCreator.Net’s Security Team Member Info Freakzz <infofreakzzz(at)gmail.com> has reported another critical SQL Injection (vulnerability) on http://www.kmd.com.sg owned by KMD Group of Companies These are some information from Vulneral Site http://www.kmd.com.sg

SQL injection (vulnerability) on Myanmar Climate Change Watch http://www.tunlwin.com/

PlanetCreator reported another critical SQL injection (vulnerability) on Myanmar Climate Change Watch http://www.tunlwin.com/ SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer

Critical Blind SQL Injection (vulnerability) in The Best Myanmar Website (burmeseclassic.com)

PlanetCreator has reported another critical Blind SQL Injection (vulnerability) on http://www.burmeseclassic.com/ This vulnerability has been alerted to :- Webmaster of BurmeseClassic Applications: â€”â€”â€”â€” PlanetCreatorâ€™s_Universal_Advanced_Internet_Security_T00L System Time: â€”â€”â€”â€” (UTC+08:00) Yangoon, Myanmar

[webapps] Siklu EtherHaul Series EH-8010 - Remote Command Execution
on January 17, 2026 at 12:00 am
Siklu EtherHaul Series EH-8010 - Remote Command Execution
[webapps] Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
on January 17, 2026 at 12:00 am
Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
[webapps] RPi-Jukebox-RFID 2.8.0 - Remote Command Execution
on January 17, 2026 at 12:00 am
RPi-Jukebox-RFID 2.8.0 - Remote Command Execution
[webapps] FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
on December 25, 2025 at 12:00 am
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
[webapps] Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
on December 25, 2025 at 12:00 am
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie