WB News 2.3.3 Stored Cross Site Scripting

2010-04-22T00:00:00
ID PACKETSTORM:88782
Type packetstorm
Reporter ItSecTeam
Modified 2010-04-22T00:00:00

Description

                                        
                                            `#####################################################################################  
#Title: WB News (Webmobo) 2.3.3 Stored XSS #  
#Vendor: http://www.webmobo.org/ #  
#####################################################################################  
#AUTHOR: ITSecTeam #  
#Email: Bug@ITSecTeam.com #  
#Website: http://www.itsecteam.com #  
#Forum : http://forum.ITSecTeam.com #  
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability44.htm #  
#Thanks: r3dm0v3 [r3dm0v3_at_ymail.com], Pejvak, am!rkh@n #  
#####################################################################################  
  
#DESCRIPTION (by vendor):############################################################  
WB News is a PHP news management system which requires MySQL/PostgreSQL database.   
The system is meant for quick and easy build to integrate news into an existing   
site or used as a framework with many systems such as Authentication, Template Engine,   
Database Abstration and more.   
  
#BUG:################################################################################  
file /base/Comments.php:  
85: foreach ( $comments as $comment )  
86: {  
87: $rows[] = array(  
88: "message" => nl2br( textWrap( htmlspecialchars( filter( $comment["message"] ) ) ) ),  
89: "name" => NULL != $comment["postname"] ? $comment["postname"] : $comment["name"], //<---vulnerable line  
90: "date" => tz_date( Configuration::getInstance()->getOption("dateFormat"), $comment["timeposted"] )  
91: );  
92: }  
  
file /templates/default/list-comments.ihtml:  
17: <td><strong><?php echo __("Posted By") ?>:</strong> <?php echo $r["name"] ?> On: <?php echo $r["date"] ?></td>  
  
  
Comment sender's name is not filtered and is sent to browser!  
  
  
#EXPLOIT:############################################################################  
goto comments and post any script as comment sender's name!  
`