[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability

To: Bkis <minhbq@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability
From: Henri Salo <henri@xxxxxxx>
Date: Sun, 24 Jul 2011 13:08:35 +0300

On Thu, May 12, 2011 at 09:59:16AM +0700, Bkis wrote:
> 1. General Information
> 
> sNews is a free content management system (CMS) written in PHP and MySQL. It 
> is available at http://snewscms.com/. In April 2011, Bkis Security discovered 
> an XSS (Cross-site Scripting) vulnerability in sNews CMS version 1.7.1. 
> Taking advantage of this vulnerability, hacker might execute malicious code 
> or get cookie of CMS’s administrator.
> 
> Details: http://security.bkis.com/snews-1-7-1-xss-vulnerability/
> SVRT Advisory:        Bkis 01-2011
> Initial vendor notification:  01/05/2011
> Release Date: 12/05/2011
> Update Date:  12/05/2011
> Discovered by:        Cao Xuan Sang - Bkis
> Attack Type:  XSS
> Security Rating:      High
> Impact:       Code Execution
> Affected Software:    sNews 1.7.1 ( possibly in some earlier versions )
> 
> 2. Technical Descriptions
> 
> XSS vulnerability exists in “reorder” functions of administrator: Categories 
> reorder, Articles reorder and Pages reorder. Here, input variables are not 
> adequately checked and filtered before querying the database. Then if a 
> special character is added to the value, the SQL query will have wrong 
> syntax, and the erroneous notification is displayed in the browser 
> accompanied with the value of the erroneous variable and the erroneous query, 
> causing XSS vulnerability.
> It is the administrators that are affected by this vulnerability. With 
> different scenarios, hacker is able to steal the Administrator’s cookie or 
> redirect the browser to a malicious website, etc. 
> 
> 3. Solution
> sNews’s development team has not issued the patches for this vulnerability 
> yet. Thus, Bkis recommends individuals and organizations use this software 
> and fix the flaw as the below solution:
> Search in file snews.php:
>       $type_id = str_replace($remove,'',$key);
> Then, add the code below:
>       $value = clean(cleanXSS(trim($value)));
> 
> 4. About Bkis
> Bkis is Vietnamese leading Company in researching, deploying network security 
> software and solutions.
> website: http://bkis.vn

Identifier CVE-2011-2706 is assigned for this issue. Please edit advisory 
accordingly.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Comnexx Content Management System SQL Injection
Next by Date: Re: [Full-disclosure] Drupal Data Module Multiple Vulnerabilities
Previous by thread: [Full-disclosure] Comnexx Content Management System SQL Injection
Next by thread: Re: [Full-disclosure] Drupal Data Module Multiple Vulnerabilities
Index(es):
- Date
- Thread