XSS and PHP Code Insertion Vulnerabilities in QLnews

Summary

Vulnerability
XSS and PHP Code Insertion Vulnerabilities in QLnews
Discovered
2006.03.30
Last Update
2006.04.09 Exploitation code published
ID
EV0113
CVE
CVE-2006-1575 CVE-2006-1576
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
QLnews (http://www.vscripts.pl/)
Version
1.2
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in QLnews (http://www.vscripts.pl/) script.

1. Cross-Site Scripting.

Vulnerable Script: news.php

Parameters autorx, newsx are not properly sanitized. This can be used to post arbitrary HTML or web script code.

2. PHP Code Insertion.

Administrator has an ability to edit variable values in config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.

System access is possible.

Condition: magic_quotes_gpc = off

PoC/Exploit

1. Cross-Site Scripting Example.

URL: http://[host]/qlnews/news.php?a=write&nr=1&opcja=1&wybor=1

Autor: [XSS]

Tresc: [XSS]

2. PHP Code Insertion Example.

URL: http://[host]/qlnews/admin.php?a=settings

Number of news on main page: 5"; [php_code] $aa="

Solution.

Solution for "XSS and PHP Code Insertion Vulnerabilities in QLnews" is not available. Check vendor's website for updates.