Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   WEB//NEWS Vendors:
WEB//NEWS Input Validation Hole in 'modules/startup.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014866
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 7 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.4
Description:   A vulnerability was reported in WEB//NEWS. A remote user can inject SQL commands. A remote user can also determine the installation path.

The 'modules/startup.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted cookie parameter value to execute SQL commands on the underlying database.

A demonstration exploit cookie value is provided:

wn_userid=1; wn_userpw=0' OR '1'='1

Several REQUEST variables are also not properly filtered. Some demonstration exploit URLs are provided:


A remote user can directly request scripts in the '/actions' directory to cause the system to disclose the installation path.

A demonstration exploit URL is provided:


Robin 'onkel_fisch' Verton reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities

[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4

Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High

Date: Sep. 1 2005
Vendor: Stylemotion

Robin 'onkel_fisch' Verton

WEB//News is a Newsscript which features like an CMS


In the modules/startup.php

$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid) 
			( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' ) 
		      LIMIT 1");

As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):

wn_userid=1; wn_userpw=0' OR '1'='1

Path Disclosure:
No file in he /actions dir is testet if it is directly included.

Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable

A few Examples:

Whole NewAngel Team, CyberDead, Modhacker, deluxe


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC