HACKATTACK Advisory 20081016]WEB//NEWS SQL Injection and Cookie Manipulation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HACKATTACK Advisory 20081016]WEB//NEWS SQL Injection and Cookie Manipulation
From: office@xxxxxxxxxxxxx
Date: 16 Oct 2008 11:48:13 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[HACKATTACK Advisory 20081016]WEB//NEWS SQL Injection and Cookie Manipulation

Details
=======
Product: WEB//NEWS
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://www.stylemotion.de/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: David Vieira-Kurz
http://www.HACKATTACK.at / www.HACKATTACK.eu

Affected Products:
----------------------------
WEB//NEWS 1.4 and prior

Original Advisory:
============
http://www.HACKATTACK.at/

Introduction
============
WEB//NEWS is an easy to handle news management system which works with 
MySQL/PHP.

More Details
============

1. SQL Injection:
---------------------
Input passed to the "catid" parameter in "search.php" using $_POST is not 
properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2. Cookie_Manipulation:
---------------------
After a successfull sql injection and getting the required administrator 
password hash, an attacker is able to bypass the
login with the given information and to gain full administrative access on the 
news management system.

1.1 PoC:
============
http://localhost/webnews/search.php?

Postdata:
1. an attacker have to input a keyword into the keyword textfield. This is 
required for successfull exploitation.
 
2. An attacker will post the follwing sql statement to categorie id field:

') union select 1,2,3,4,5,password,7,8,9,10,11,12,13,14,15,16,17,18,19 from 
wn_user where userid=1/**


Solution
=============

Fix
===
Upgrade to newest version(1.4.1a)

Solution
=============
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to 
ensure that html tags
are not going to be executed. You should also work with the 
"mysql_real_escape_string()" or "addslashes()" php-function to ensure that sql 
statements
can't be delivered over the "get" variables. Further it is recommend to set off 
the "register globals" option in the
"php.ini" on your webserver. It's also possible to turn on magic_quotes.

Example:
$password = htmlentities($_POST['catid']);
$file = htmlspecialchars($_GET['keyword']);
$id = intval($_POST['id']);
?>

History/Timeline
================
22.09.2008 discovery of the vulnerabilities
22.09.2008 additional tests with other versions
24.09.2008 contacted the vendor
15.10.2008 advisory is written
16.10.2008 advisory released

HACKATTACK
================
HACKATTACK IT SECURITY GmbH is an Austrian Penetrationtest and security 
Assesement company which focuses
on web application security and firewall security.
You can find more Information about HACKATTACK at
http://www.HACKATTACK.at

Prev by Date: SEC Consult SA-20081016-0 :: Remote command execution in Instant Expert Analysis
Next by Date: rPSA-2008-0295-1 rails
Previous by thread: SEC Consult SA-20081016-0 :: Remote command execution in Instant Expert Analysis
Next by thread: rPSA-2008-0295-1 rails
Index(es):
- Date
- Thread