dnewsweb-xss.txt

`[HSC] DNewsWeb Softwares Cross Site Scripting Vulrnability  
  
  
The DNews News Server is advanced news server software that makes it easy for you to   
provide users with fast access to Internet (Usenet) news groups. Installing your own l  
ocal news server software also gives you complete control to create your own private   
or public discussion forums for enhanced communications across the organization and   
Internet. DNews fails to sanitize supplied input, attackers may exploit this issue   
via a web client. An attacker may leverage this issue to have arbitrary script code   
execute in the browser of an unsuspecting user in the context of the affected site.   
This may help the attacker steal cookie-based authentication credentials and launch   
other attacks.  
  
  
  
Hackers Center Security Group (http://www.hackerscenter.com)  
Credit: Doz  
  
  
Risk: Medium  
Class: Input Validation Error  
Remote: YES  
Local: N/A  
  
  
Vendor: NetWin Ltd  
Product: DNewsWeb 57e1  
  
  
http://netwinsite.com/  
  
  
Effected Platforms:  
  
- Windows NT,2000,XP  
- Linux (All 32 bit variants, RedHat, Suse, Mandrake)  
- Solaris 2.7 Sparc  
- Solaris 8,9,10 Sparc  
- FreeBSD 4.x  
- Mac OS/X  
  
  
Vulrnable Files:  
  
dnewsweb.exe  
  
  
* Attackers can exploit these issues via a web client.  
  
  
Exploit:  
  
/cgi-bin/dnewsweb.exe?cmd=PATH&group=XSS  
/cgi-bin/dnewsweb.exe?utag=XSS  
  
  
  
  
Google Search: (dnewsweb.exe)  
  
http://www.google.com/search?hl=en&q=ext%3Aexe+inurl%3A%28%7Cdnewsweb.exe%7C%29&btnG=Search  
  
  
  
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having  
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security  
pack you will ever find on the net!  
`