SecurityvulnsSECURITYVULNS:DOC:17282[Full-disclosure] H4CREW-000005 EasyNews Pro 4.0 XSS & CSRF
I luv u Ms. Phisher u d4 d1am0nds 1n My Ski
h4xorCrew Advirosy 5: Easynews PRO 4.0 XSS and CRSF =================================================== "the game of secuirity is like a sord fight you must think furst b4 you m0ve" H-4 h3r3 2 stay cuz we in da h0uz h4xorcewz n da house and r4w we g0nna g1v3 1t 2 ya '07 wit no tr1via. w3 g0t da h4x r4p, s0ftw4r3z n 0ur h4ndz turn to d1SaSta, cuz w3 g0t sk1lls of da m4$ta. Softwares: Easynews PRO 4.0 Vulnerables funk bies the s1lksh4dow & w3bm1str3ss severety: very high risks = 100 ImpaX ==== [1] remotes cookie hijack of it all [2] XSS shell nuff said (http://ferruh.mavituna.com/article/?1338) [3] some blog or website to exploit of the CRSF vecotr. [4] both XSS & CRSF there is steal of the admin (it below)! XSS ------- Easynews PRO 4.0 is softwares for HTML internet newses posting by admin or user with some auth (but not much). Some user may post Cross-Site Scriptings in newses. If done, scriptings execute in browser as if trust were true even for scriptings that is not belong of site. Becuase scriptings is stored when news is stored, XSS is forever, meaning store newses is likely to malign many users browser. (see below) 1. log in 2. post in news with news having "Hi Say!<script>alert("PWND!")</script>" 3. news get saved as file.txt in /news folder with hazard scriptings 4. user other read news and get scripted Root of cause is no delicate input sifting or no output htmls encodings up in there code. CRSF ------- With CRSF, like XSS, virtuall all site on intenet is vulnerables to is widespread. It happen here too, but very severes = 100 becuase remotes attack can switch admin pass (n0 kidding ^_^). Root of cauz is admin pass can be change with no curent pass as input when chang is make. So html FORM action put up in there other place like blog or web app can automatic with javascrip turned on change pass of admin if admin read newses while login and fellows the linkage to bad site. Change can be fasters than the cats eye. Notes: becuase XSS and CRSF are true together it is possibles to post newses that automatic change admin pass when newses is viewed cuz uv a m4d j4v4scr1pt0rs :/ Workaround: No workaround just yet. I sen the coder emale 6 moth aogo. Until then read newses with MITM proxy so trap request & response and delette bad stuff each time, ok! Inmportant geetz: ---------------------------------------------------------- shoutz to alyandon <β ur so lljk & props to th0ri4n k33p i7 0n d4 d0wnlow Z4K, I g3tt1n t1r3d uv b4iling U 455 0ut 4g41n. evil4d4msmith y0u d4 CEO 0f gR00v3. Other suxkur cr3ws btr step b4k we're d0ing th3 hax. g07 4n APB 0n a k1ll3r MC my 1337 w3bm1st3ss 4nd m3 w3 da Silksh4dow 4n 5he bl0win da lid off this 1. d0n7 fr0n7 da dU0 cuz w3 Nv1nc1bl3. 1 L0\/3 j00Z \/\/3B/\/\1$7r3$$ we 1t b4be U n Me 4eva. I m0v3 m0nt41nZ U d4 l3v3r. ----------------------------------------------------------
Make every IM count. Download Windows Live Messenger and join the iβm Initiative now. Itβs free.
http://im.live.com/messenger/im/home/?source=TAGWL_June07