FarsiNews Input Validation Hole in 'search.php' Permits Cross-Site Scripting Attacks - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Forum/Board/Portal) > FarsiNews

Vendors: farsinewsteam.com

FarsiNews Input Validation Hole in 'search.php' Permits Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1015943

SecurityTracker URL: http://securitytracker.com/id/1015943

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Apr 15 2006

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included: Yes

Version(s): 2.5.3 Pro and prior versions

Description: R@1D3N (amin emami) reported a vulnerability in FarsiNews. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.

The 'search.php' script does not properly filter HTML code from user-supplied input in the 'selected_search_arch' parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the FarsiNews software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/[farsinews_path]/search.php?selected_search_arch=><script>alert(document.cookie)</script><!--

http://[target]/[farsinews_path]/search.php?selected_search_arch=%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--

A remote user can also supply a URL with a specially crafted 'archive' parameter value to cause the system to display an error message that discloses the installation path and other data.

A demonstration exploit URL is provided:

http://[target]/[farsinews_path]/index.php?subaction=showfull
&id=30000000000&archive=../../../../../../etc/passwd%00&start_from=&ucat=1&

The original advisory is available at:

http://www.aria-security.net/advisory/farsinews/farsinews042006.txt

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the FarsiNews software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution: No solution was available at the time of this entry.

Vendor URL: www.farsinewsteam.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Subject: Farsinews Cross-Site Scripting & Path disclosure vulnerability

Farsinews  Cross-Site Scripting & Path disclosure  vulnerability

#'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
#Aria-Security.net Advisory
#Discovered  by:R@1D3N (amin emami)
#<AminRayden@yahoo.com>
#Gr33t to:A.u.r.a  & O.u.t.l.a.w & Smok3r & behzad & majid and all Persian Security team
#'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Farsinews is Powerful Persian news publishing system



XSS attack:
http://[target]/[farsinews_path]/search.php?selected_search_arch=><script>alert(document.cookie)</script><!--
http://[target]/[farsinews_path]/search.php?selected_search_arch=%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--

Path disclosure:
A remote user can supply a specially crafted URL to
cause the system to display an error message that
discloses the installation path and other data.
Bug exists in "index.php"

example:
http://[target]/[farsinews_path]/index.php?subaction=showfull
&id=30000000000&archive=../../../../../../etc/passwd%00&start_from=&ucat=
1&

Error:
Warning:
file(/home/cannonc/public_html/smf/test/data/archives/../../../../../../.
./../../etc/passwd\0.news.arch):
failed to open stream: No such file or directory in
 /home/cannonc/public_html/smf/test/inc/shows.inc.php on line 62

Warning: Invalid argument supplied for foreach() in
 /home/cannonc/public_html/smf/test/inc/shows.inc.php on line 270
Can not find an article with id:30000000000


Solution:
contact advisory@aria-security.net

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2021, SecurityGlobal.net LLC