| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Feb 2008 21:57:13 -0600
From: reepex <reepex@...il.com>
To: SkyOut <skyout@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: MyNews 1.6.X HTML/JS Injection Vulnerability
your 'disclosure' is lame and so is your site. Could you please never email
here again
On Feb 6, 2008 1:06 PM, SkyOut <skyout@....net> wrote:
> I know its basic, but I am a supporter of FD and therefore
> planetluc.com has to be
> blamed now! I checked their script MyNews in version 1.6.4 today and
> then some
> other versions, all are vulnerable to HTML and JS injection.
>
> --- ADVISORY ---
>
> ----------------------------
> || WWW.SMASH-THE-STACK.NET ||
> -----------------------------
>
> || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability
>
> _____________________
> || 0x00: ABOUT ME
> || 0x01: DATELINE
> || 0x02: INFORMATION
> || 0x03: EXPLOITATION
> || 0x04: GOOGLE DORK
> || 0x05: RISK LEVEL
> ____________________________________________________________
> ____________________________________________________________
>
> _________________
> || 0x00: ABOUT ME
>
> Author: SkyOut
> Date: February 2008
> Contact: skyout[-at-]smash-the-stack[-dot-]net
> Website: http://www.smash-the-stack.net/
>
> _________________
> || 0x01: DATELINE
>
> 2008-02-06: Bug found
> 2008-02-06: Advisory released
>
> ____________________
> || 0x02: INFORMATION
>
> The MyNews script by planetluc.com in all versions of the 1.6.X tree is
> vulnerable to HTML and JS injection due to no sanitation of the "hash"
> value in combination with the action "admin".
>
> _____________________
> || 0x03: EXPLOITATION
>
> No exploit is needed to test this vulnerability. You just need a working
> web browser.
>
> 1: HTML Injection
>
> To make a HTML injectioni, visit the websites main page. The name
> might differ
> from the original name "mynews.inc.php", mostly its called
> "index.php". Now
> construct a malformed URL as follows:
>
> http://www.example.com/index.php?hash="><iframe src=http://
> www.evil.com/ height=500px width=500px></iframe><!--&do=admin
>
> Of course you can manipulate the values of "height" and "width" like you
> want to. Do it the way it best fits to your needs!
>
> 2: JavaScript Injection
>
> JS injection is similar to HTML injection, just that you put a JS code
> in the "hash" parameter. Let me show you two examples:
>
> http://www.example.com/index.php?hash="><script>alert(1337);</
> script><!--&do=admin
>
> or
>
> http://www.example.com/index.php?hash="><script>alert("XSS");</
> script><!--&do=admin
>
> Sometimes using strings doesn't work, so test it first!
>
> ____________________
> || 0x04: GOOGLE DORK
>
> intext:"powered by MyNews 1.6.*"
>
> ___________________
> || 0x05: RISK LEVEL
>
> - LOW - (1/3) -
>
> <!> Happy Hacking <!>
>
> ____________________________________________________________
> ____________________________________________________________
>
> THE END
>
> --- ADVISORY ---
>
> Sincerely,
> SkyOut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists