lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040902191443.6801.qmail@www.securityfocus.com>
Date: 2 Sep 2004 19:14:43 -0000
From: Exoduks <exoduks@...il.com>
To: bugtraq@...urityfocus.com
Subject: [hackgen-2004-#001] - Non-critacal Cross-Site Scripting bug in
    CuteNews




http://www.hackgen.org/advisories/hackgen-2004-001.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2004-#001]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'       Non-critacal Cross-Site Scripting bug in CuteNews            '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

  Software: CuteNews <= 1.3.6
  Homepage: http://www.cutephp.com
  Author: "Exoduks" - HackGen Team
  Release Date: 2 Semptember, 2004
  Website: www.hackgen.org www.hackgen.tk www.hackgen.net
  Mail: exoduks [at] gmail . com


0x01 - Affected software description:
 -------------------------------------
 CuteNews is a very popular news publishing sistem written in php
 by CutePHP Team. The script use a flat files for storing the news 
 and you don't need a mysql database. It supports comments and 
 archives that can be organized by months.



 0x02 - Vulnerability Discription:
 ---------------------------------
 Vulnerability exists in index.php because there is not a checking for 
 input code in mod variable , so we can inject some code into the script and 
 execute injected code. I have to say that this is a non-critical bug because 
 you need to have some of this privilegies for accesing the index.php. 
 You need to have Adminstrator, Editor, Journalist or Commenter privilegies. 
 But if you give some user with these privilegie, special design 
 link you can steal his cookie and get full control of script.
   


 0x03 - Vulnerability Code:
 --------------------------
 Vulnerability code is in index.php from line 595 to line 511 in cutenews 1.3.6

 ----- beging the code in index.php -----

if($mod == ""){ require("./inc/main.mdu"); }

    elseif( $system_modules[$mod] )

    {

            if($system_modules[$mod] == "user"){ require("./inc/". $mod . ".mdu"); }

        elseif($system_modules[$mod] == "admin" and $member_db[1] == 1){ require("./inc/". $mod . ".mdu"); }

        elseif($system_modules[$mod] == "admin" and $member_db[1] != 1){ msg("error", "Access denied", "Only admin can access this module"); exit;}

        else{ die("Module access must be set to <b>user</b> or <b>admin</b>"); }

    }

    else{ die("$mod is NOT a valid module"); }

 ----- end of the code -----



 0x04 - How to fix this bug:
 ---------------------------
 The vendor has been conntacted 30 min ago and it will probably relese a new 
 fixed version. So upgrade yours scripts to new version when it come out, or 
 you can fix it with my "fix code". Fix you can find at http://forum.hackgen.org



 0x05 - Exploit:
 ----------------
 
 http://www.host.com/cutenews/index.php?mod=[XSS CODE]

 http://www.host.com/cutenews/index.php?mod=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 


 0x006 - The End:
 ----------------
 End you have come to the end of this advisor. This is my first but not last advisor.
 Gretttzzz to: Hackgen, II-labs, ROOT-Hack, NHC, bSecurity... And some people like: 
 Re00t, DelphiFreak, chester, BoyScout, Zex, GoDLiKE, Clicker, h4z4rd, bSecurity, Ripwizard,
 Digital, Snoop, Fr1c....
 And one more thing visit forum.hackgen.org !



                           
        ______________________________________
          Written By Exoduks - www.hackgen.com

 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ