Thanks to www.BugReport.ir and irsdl for vulnerabilities check :)
> 2.1. Broken Authentication and Session Management. Attacker can enter
> to the admin pages by a manipulated cookie.
FIX: Download and replace old files inside _RealmAdmin folder by:
http://groups.google.com/group/RealmProject/web/_RealmAdmin_V.2.5.zip
> 2.2. Injection Flaws. SQL Injection in "inc_routines.asp" in
> "KeyWordsList" function on "kwrd" parameter.
FIX: Download and replace old "cms/_includes/inc_routines.asp" by:
http://groups.google.com/group/RealmProject/web/inc_routines.zip
> 2.3. Cross Site Scripting (XSS), Information Leakage. Reflected XSS
> attack, and DB path disclosure in "/cms/_db/compact.asp"
FIX:
a) Immediately after installation rename database and similar Unique
("UniqueID" in "site_config.asp")
b) Download and replace files "compact.asp" and "download.asp" in
"_db" by:
http://groups.google.com/group/RealmProject/web/_db.zip
Download Fixes
RealmCMS/userfiles/file/Fixes/_db.zip
RealmCMS/userfiles/file/Fixes/inc_routines.zip
RealmCMS/userfiles/file/Fixes/_RealmAdmin_V.2.5.zip
.jpg)
