WB News (Webmobo) 2.3.3 Stored XSS

vendor:

WB News

by:

ITSecTeam

8,5

CVSS

HIGH

Stored XSS

CWE

Product Name: WB News

Affected Version From: 2.3.3

Affected Version To: 2.3.3

Patch Exists: YES

Related CWE: N/A

CPE: a:webmobo:wb_news:2.3.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

WB News (Webmobo) 2.3.3 Stored XSS

Comment sender's name is not filtered and can be used to inject malicious code.

Mitigation:

Upgrade to version 2.3.4

Source

Exploit-DB raw data:

#####################################################################################
#Title:             WB News (Webmobo) 2.3.3 Stored XSS                              #
#Vendor:            http://www.webmobo.org/                                         #
#####################################################################################
#AUTHOR:            ITSecTeam                                                       #
#Email:             Bug@ITSecTeam.com                                               #
#Website:           http://www.itsecteam.com                                        #
#Forum :            http://forum.ITSecTeam.com                                      #
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability44.htm        #
#Thanks:            r3dm0v3 [r3dm0v3_at_ymail.com], Pejvak, am!rkh@n                #
#####################################################################################

#DESCRIPTION (by vendor):############################################################
WB News is a PHP news management system which requires MySQL/PostgreSQL database. 
The system is meant for quick and easy build to integrate news into an existing 
site or used as a framework with many systems such as Authentication, Template Engine, 
Database Abstration and more. 

#BUG:################################################################################
file /base/Comments.php:
 85:	foreach ( $comments as $comment )
 86:	{
 87:		$rows[] = array(
 88:			"message" => nl2br( textWrap( htmlspecialchars( filter( $comment["message"] ) ) ) ),
 89:			"name" => NULL != $comment["postname"] ? $comment["postname"] : $comment["name"], //<---vulnerable line
 90:			"date" => tz_date( Configuration::getInstance()->getOption("dateFormat"), $comment["timeposted"] )
 91:			);
 92:	}

file /templates/default/list-comments.ihtml:
 17:		<td><strong><?php echo __("Posted By") ?>:</strong> <?php echo $r["name"] ?> On: <?php echo $r["date"] ?></td>


Comment sender's name is not filtered and is sent to browser!


#EXPLOIT:############################################################################
goto comments and post any script as comment sender's name!