SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   mcNews Vendors:   Cagninacci, Marc
mcNews Forum Software Has Several Bugs That Disclose Files to Remote Users and Allow Remote Users to Conduct Cross-Site Scripting Attacks Against mcNews Users
SecurityTracker Alert ID:  1004338
SecurityTracker URL:  http://securitytracker.com/id/1004338
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 21 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network

Version(s): 1.1a
Description:   Several vulnerabilities were reported in the mcNews script. A remote user can view arbitrary files on the system, can conduct cross-site scripting attacks against mcNews users, and can determine the mcNews installation path.

A remote user can gain access to administrative pages by setting a particular cookie with the name "mcNews" and with any value (e.g., "mcNews,frog"). Apparently, the mcNews server does not verify the cookie contents but instead checks only to see if the cookie is set before granting access to scripts in the '/admin' directory.

A remote user can exploit this to access the 'design.php' script, which itself contains a vulnerability. The script apparently allows a remote user to specify an arbitrary file on the server as the skinfile, allowing the remote user to view arbitrary files on the system.

A demonstration exploit is provided (it requires the cookie mentioned above):

GET /admin/design.php?voir=1&skinfile=../../file/to/view

It is also reported that a remote user can access the 'header.php' script without having to set a particular cookie if the remote user invokes the 'voir' value in the URL. The following is an example URL that can be used to view arbitrary user-specified files on the system:

GET /admin/header.php?voir=1&skinfile=../../file/to/view

A remote user can specify a non-existent file as the 'skinfile' in order to view the full installation path of the script. A demonstration URL is provided:

GET /admin/[header or design].php?voir=1&skinfile=non-existent-file

A remote user can create an HTML link using the login.php script such that, when the link is loaded by a target user, arbitrary javascript will be executed by the target user's browser. This code will appear to originate from the server running mcNews and will execute in the security domain of that user. As a result, the code can access the target user's cookies associated with the site running mcNews.

A demonstration exploit URL is provided:

- /admin/login.php?path="></form><form name=a><input name=i value=XSS>&lt;script>alert(document.a.i.value)</script>

For more information, see the author's original advisory (in French language) at:

http://www.ifrance.com/kitetoua/tuto/mcNews.txt

Impact:   A remote user can view named files on the system that are readable by the web server. A remote user can determine the PHP script installation directory path. A remote user can conduct cross-site scripting attacks against other mcNews users to steal their authentication cookies associated with the site running mcNews.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpforums.net/index.php?dir=dld (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Security holes : mcNews




Product :
mcNews 1.1a
http://www.phpforums.net

Problems :
- XSS
- Path Disclosure
- Including file
- Admin access

Exploits :
- /admin/login.php?path="></form*><form name=a*><input 
name=i value=XSS*>&lt;script*>alert(document.a.i.value)
</script*> 
without '*'
- Setcookie "mcNews,frog" on admin pages
- /admin/design.php?voir=1&skinfile=../../file/to/view + 
mcNews cookie
- /admin/header.php?voir=1&skinfile=../../file/to/view 
without mcNews cookie
- /admin/[header or design].php?voir=1&skinfile=non-
existant-file

More details :
in french :
http://www.ifrance.com/kitetoua/tuto/mcNews.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%
2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FmcNews.txt&langpair=fr%7Cen&hl=fr&ie=UTF8&oe=UTF8&prev=%
2Flanguage_tools

frog-m@n

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC