[hackgen-2004-#001] - Non-critacal Cross-Site Scripting bug in CuteNews
http://www.hackgen.org/advisories/hackgen-2004-001.txt
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' [hackgen-2004-#001] '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Non-critacal Cross-Site Scripting bug in CuteNews '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Software: CuteNews <= 1.3.6
Homepage: http://www.cutephp.com
Author: "Exoduks" - HackGen Team
Release Date: 2 Semptember, 2004
Website: www.hackgen.org www.hackgen.tk www.hackgen.net
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
CuteNews is a very popular news publishing sistem written in php
by CutePHP Team. The script use a flat files for storing the news
and you don't need a mysql database. It supports comments and
archives that can be organized by months.
0x02 - Vulnerability Discription:
---------------------------------
Vulnerability exists in index.php because there is not a checking for
input code in mod variable , so we can inject some code into the script and
execute injected code. I have to say that this is a non-critical bug because
you need to have some of this privilegies for accesing the index.php.
You need to have Adminstrator, Editor, Journalist or Commenter privilegies.
But if you give some user with these privilegie, special design
link you can steal his cookie and get full control of script.
0x03 - Vulnerability Code:
--------------------------
Vulnerability code is in index.php from line 595 to line 511 in cutenews 1.3.6
----- beging the code in index.php -----
if($mod == ""){ require("./inc/main.mdu"); }
elseif( $system_modules[$mod] )
{
if($system_modules[$mod] == "user"){ require("./inc/". $mod .
".mdu"); }
elseif($system_modules[$mod] == "admin" and $member_db[1] == 1){
require("./inc/". $mod . ".mdu"); }
elseif($system_modules[$mod] == "admin" and $member_db[1] != 1){
msg("error", "Access denied", "Only admin can access this module"); exit;}
else{ die("Module access must be set to <b>user</b> or <b>admin</b>"); }
}
else{ die("$mod is NOT a valid module"); }
----- end of the code -----
0x04 - How to fix this bug:
---------------------------
The vendor has been conntacted 30 min ago and it will probably relese a new
fixed version. So upgrade yours scripts to new version when it come out, or
you can fix it with my "fix code". Fix you can find at http://forum.hackgen.org
0x05 - Exploit:
----------------
http://www.host.com/cutenews/index.php?mod=[XSS CODE]
http://www.host.com/cutenews/index.php?mod=<script>alert(document.cookie)</script>
0x006 - The End:
----------------
End you have come to the end of this advisor. This is my first but not last
advisor.
Gretttzzz to: Hackgen, II-labs, ROOT-Hack, NHC, bSecurity... And some people
like:
Re00t, DelphiFreak, chester, BoyScout, Zex, GoDLiKE, Clicker, h4z4rd,
bSecurity, Ripwizard,
Digital, Snoop, Fr1c....
And one more thing visit forum.hackgen.org !
______________________________________
Written By Exoduks - www.hackgen.com