Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration
#Title: Vulnerabilities in News Manager Lite 2.5 & News Manager Lite
administration.
#Software: News Manager Lite 2.5 & News Manager Lite administration.
#Vendor: http://www.expinion.net/software/app_newsmanager.asp
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
Professional/Server.
---- News Manager Lite 2.5 ----
#Vendor Description:
The Expinion News Manager Lite, makes it easy for you to keep your site's
news up-to-date. You can manage all your news items from an online
administration, and keep an archive of older news.
#Vulnerabilities:
This software has Multiple Flaws That Let Remote Users Hijack Admin Account,
Inject SQL Commands, and Conduct Cross-Site Scripting Attacks.
#Cross Site Scripting#
This product is vulnerable to the Cross-Site Scripting vulnerability that
would allow attackers to inject HTML and script codes into the pages and
execute it on the client's browser.
Examples:
http://[host]/comment_add.asp?ID=3&email=[XSS]
http://[host]/search.asp?search=[XSS]
http://[host]/category_news_headline.asp?ID=2&n=[XSS]
#SQL Injection#
Another problem could lead an attacker to inject SQL code to manipulate and
disclose various information from the database.
Examples:
http://[host]/more.asp?ID='[SQL query]
http://[host]/category_news.asp?ID='[SQL]
http://[host]/news_sort.asp?filter='[SQL]
---- News Manager Lite administration ----
#Cookie Account Hijack#
This issue can be exploited to gain an administrative account with the
service.
You can login like administrator modifying the cookie in this "way".
Example:
Cookie: NEWS%5FLOGIN=ADMIN=1&ID=1
#Solution:
Vendor contacted, the vulnerabilities will be addressed very soon.
#Credits:
Manuel López. mantra@xxxxxxxx