planetluc-xss.txt
Posted on 07 February 2008
I know its basic, but I am a supporter of FD and therefore planetluc.com has to be blamed now! I checked their script MyNews in version 1.6.4 today and then some other versions, all are vulnerable to HTML and JS injection. --- ADVISORY --- ---------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: February 2008 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: http://www.smash-the-stack.net/ _________________ || 0x01: DATELINE 2008-02-06: Bug found 2008-02-06: Advisory released ____________________ || 0x02: INFORMATION The MyNews script by planetluc.com in all versions of the 1.6.X tree is vulnerable to HTML and JS injection due to no sanitation of the "hash" value in combination with the action "admin". _____________________ || 0x03: EXPLOITATION No exploit is needed to test this vulnerability. You just need a working web browser. 1: HTML Injection To make a HTML injectioni, visit the websites main page. The name might differ from the original name "mynews.inc.php", mostly its called "index.php". Now construct a malformed URL as follows: http://www.example.com/index.php?hash="><iframe src=http:// www.evil.com/ height=500px width=500px></iframe><!--&do=admin Of course you can manipulate the values of "height" and "width" like you want to. Do it the way it best fits to your needs! 2: JavaScript Injection JS injection is similar to HTML injection, just that you put a JS code in the "hash" parameter. Let me show you two examples: http://www.example.com/index.php?hash="><script>alert(1337);</ script><!--&do=admin or http://www.example.com/index.php?hash="><script>alert("XSS");</ script><!--&do=admin Sometimes using strings doesn't work, so test it first! ____________________ || 0x04: GOOGLE DORK intext:"powered by MyNews 1.6.*" ___________________ || 0x05: RISK LEVEL - LOW - (1/3) - <!> Happy Hacking <!> ____________________________________________________________ ____________________________________________________________ THE END --- ADVISORY --- Sincerely, SkyOut _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
