Uploaded image for project: 'Newscoop'
  1. Newscoop
  2. CS-4179

vulnerability issues (htbridge.com)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.5.3, 4.0 RC3
    • Fix Version/s: 4.0 RC4
    • Component/s: None
    • Labels:
      None
    • Originating Party:
      Experts
    • OS:
      Ubuntu 10.04
    • Browser:
      Firefox

      Description

      2) SQL Injection in Newscoop

      2.1 Input passed via the "f_country_code" GET parameter to
      /admin/country/edit.php is not properly sanitised before being used in
      SQL query.
      This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

      The following PoC (Proof of Concept) demonstrates the vulnerability:

      http://[host]/admin/country/edit.php?f_country_code=%27%20union%20select%201,2,version%28%29%20--%202

      Successful exploitation of the vulnerability requires attacker to be
      registered and logged-in and to have permission to manage countries.
      For successful exploitation "magic_quotes_gpc" should be disabled as
      well.

      3) Multiple Cross-Site Scripting (XSS) in Newscoop

      3.1 Input passed via the "Back" GET parameter to /admin/ad.php is not
      properly sanitised before being returned to the user.
      This can be exploited to execute arbitrary HTML and script code in
      administrator's browser session in context of the affected website.

      The following PoC (Proof of Concept) demonstrates the vulnerability:

      http://[host]/admin/ad.php?Back=%27%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

      (3.2 already FIXED in 4.0)
      3.2 Input passed via the "error_code" GET parameter to
      /admin/login.php is not properly sanitised before being returned to
      the user.
      This can be exploited to execute arbitrary HTML and script code in
      user's browser session in context of the affected website.

      The following PoC demonstrates the vulnerability:

      http://[host]/admin/login.php?error_code=upgrade&f_user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

      3.3 Input passed via the "token" and "f_email" GET parameters to
      /admin/password_check_token.php is not properly sanitised before being
      returned to the user.
      This can be exploited to execute arbitrary HTML and script code in
      user's browser session in context of the affected website.

      The following PoC demonstrate the vulnerabilities:

      http://[host]/admin/password_check_token.php?token=1&f_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
      http://[host]/admin/password_check_token.php?f_email=1&token=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

        Attachments

          Activity

            People

            • Assignee:
              ofir.gal Ofir Gal
              Reporter:
              ofir.gal Ofir Gal
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: