SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   WEB//NEWS Vendors:   Stylemotion.de
WEB//NEWS Input Validation Hole in 'modules/startup.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014866
SecurityTracker URL:  http://securitytracker.com/id/1014866
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 7 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.4
Description:   A vulnerability was reported in WEB//NEWS. A remote user can inject SQL commands. A remote user can also determine the installation path.

The 'modules/startup.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted cookie parameter value to execute SQL commands on the underlying database.

A demonstration exploit cookie value is provided:

wn_userid=1; wn_userpw=0' OR '1'='1

Several REQUEST variables are also not properly filtered. Some demonstration exploit URLs are provided:

/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]

A remote user can directly request scripts in the '/actions' directory to cause the system to disclose the installation path.

A demonstration exploit URL is provided:

/actions/cat.add.php?name=A

Robin 'onkel_fisch' Verton reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.stylemotion.de/engine.php?show=webnews (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  7 Sep 2005 15:49:52 -0000
Subject:  [NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities

[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================

Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High

Date: Sep. 1 2005
Vendor: Stylemotion


Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net

Description:
============
WEB//News is a Newsscript which features like an CMS


Vulnerability:
==============

In the modules/startup.php

$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid) 
		      WHERE 
			( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' ) 
		      LIMIT 1");

As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):

wn_userid=1; wn_userpw=0' OR '1'='1

Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A

Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable

A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]

Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC