Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.5.3, 4.0 RC3
    • Fix Version/s: 4.0 RC4
    • Component/s: None
    • Labels:
      None
    • Originating Party:
      Experts
    • OS:
      Ubuntu 10.04
    • Browser:
      Firefox

      Description

      2) SQL Injection in Newscoop

      2.1 Input passed via the "f_country_code" GET parameter to
      /admin/country/edit.php is not properly sanitised before being used in
      SQL query.
      This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

      The following PoC (Proof of Concept) demonstrates the vulnerability:

      http://[host]/admin/country/edit.php?f_country_code=%27%20union%20select%201,2,version%28%29%20--%202

      Successful exploitation of the vulnerability requires attacker to be
      registered and logged-in and to have permission to manage countries.
      For successful exploitation "magic_quotes_gpc" should be disabled as
      well.

      3) Multiple Cross-Site Scripting (XSS) in Newscoop

      3.1 Input passed via the "Back" GET parameter to /admin/ad.php is not
      properly sanitised before being returned to the user.
      This can be exploited to execute arbitrary HTML and script code in
      administrator's browser session in context of the affected website.

      The following PoC (Proof of Concept) demonstrates the vulnerability:

      http://[host]/admin/ad.php?Back=%27%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

      (3.2 already FIXED in 4.0)
      3.2 Input passed via the "error_code" GET parameter to
      /admin/login.php is not properly sanitised before being returned to
      the user.
      This can be exploited to execute arbitrary HTML and script code in
      user's browser session in context of the affected website.

      The following PoC demonstrates the vulnerability:

      http://[host]/admin/login.php?error_code=upgrade&f_user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

      3.3 Input passed via the "token" and "f_email" GET parameters to
      /admin/password_check_token.php is not properly sanitised before being
      returned to the user.
      This can be exploited to execute arbitrary HTML and script code in
      user's browser session in context of the affected website.

      The following PoC demonstrate the vulnerabilities:

      http://[host]/admin/password_check_token.php?token=1&f_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
      http://[host]/admin/password_check_token.php?f_email=1&token=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

        Activity

        Hide
        Holman Romero added a comment -

        Duplicates separate tickets created for this same task: CS-4182 and CS-4184

        Show
        Holman Romero added a comment - Duplicates separate tickets created for this same task: CS-4182 and CS-4184

          People

          • Assignee:
            Ofir Gal
            Reporter:
            Ofir Gal
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Poker Sessions

                This issue is currently not assigned to any Poker Session.