[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <a8fe69350802071753q4af2cb32qcfe7b1b2de8d97e8@mail.gmail.com>
Date: Thu, 7 Feb 2008 19:53:06 -0600
From: "Fredrick Diggle" <fdiggle@...il.com>
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: MyNews 1.6.X HTML/JS Injection Vulnerability
SkyOut is a Fredrick Diggle Sec contributer... We suggest you think
very carefully before insulting him further. Consider yourself on the
list reepex.
On Feb 6, 2008 9:57 PM, reepex <reepex@...il.com> wrote:
> your 'disclosure' is lame and so is your site. Could you please never email
> here again
>
>
>
> On Feb 6, 2008 1:06 PM, SkyOut <skyout@....net> wrote:
>
> > I know its basic, but I am a supporter of FD and therefore
> > planetluc.com has to be
> > blamed now! I checked their script MyNews in version 1.6.4 today and
> > then some
> > other versions, all are vulnerable to HTML and JS injection.
> >
> > --- ADVISORY ---
> >
> > ----------------------------
> > || WWW.SMASH-THE-STACK.NET ||
> > -----------------------------
> >
> > || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability
> >
> > _____________________
> > || 0x00: ABOUT ME
> > || 0x01: DATELINE
> > || 0x02: INFORMATION
> > || 0x03: EXPLOITATION
> > || 0x04: GOOGLE DORK
> > || 0x05: RISK LEVEL
> > ____________________________________________________________
> > ____________________________________________________________
> >
> > _________________
> > || 0x00: ABOUT ME
> >
> > Author: SkyOut
> > Date: February 2008
> > Contact: skyout[-at-]smash-the-stack[-dot-]net
> > Website: http://www.smash-the-stack.net/
> >
> > _________________
> > || 0x01: DATELINE
> >
> > 2008-02-06: Bug found
> > 2008-02-06: Advisory released
> >
> > ____________________
> > || 0x02: INFORMATION
> >
> > The MyNews script by planetluc.com in all versions of the 1.6.X tree is
> > vulnerable to HTML and JS injection due to no sanitation of the "hash"
> > value in combination with the action "admin".
> >
> > _____________________
> > || 0x03: EXPLOITATION
> >
> > No exploit is needed to test this vulnerability. You just need a working
> > web browser.
> >
> > 1: HTML Injection
> >
> > To make a HTML injectioni, visit the websites main page. The name
> > might differ
> > from the original name "mynews.inc.php", mostly its called
> > "index.php". Now
> > construct a malformed URL as follows:
> >
> > http://www.example.com/index.php?hash="><iframe src=http://
> > www.evil.com/ height=500px width=500px></iframe><!--&do=admin
> >
> > Of course you can manipulate the values of "height" and "width" like you
> > want to. Do it the way it best fits to your needs!
> >
> > 2: JavaScript Injection
> >
> > JS injection is similar to HTML injection, just that you put a JS code
> > in the "hash" parameter. Let me show you two examples:
> >
> > http://www.example.com/index.php?hash="><script>alert(1337);</
> > script><!--&do=admin
> >
> > or
> >
> > http://www.example.com/index.php?hash="><script>alert("XSS");</
> > script><!--&do=admin
> >
> > Sometimes using strings doesn't work, so test it first!
> >
> > ____________________
> > || 0x04: GOOGLE DORK
> >
> > intext:"powered by MyNews 1.6.*"
> >
> > ___________________
> > || 0x05: RISK LEVEL
> >
> > - LOW - (1/3) -
> >
> > <!> Happy Hacking <!>
> >
> > ____________________________________________________________
> > ____________________________________________________________
> >
> > THE END
> >
> > --- ADVISORY ---
> >
> > Sincerely,
> > SkyOut
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists