dalogin 2.2 multiple vulnerabilites
app desc: Configurable WebSite. PHP + Mysql: news zone with rss feed,
private zone, languages, themes, administration panel
app source: http://dalogin.sourceforge.net/
author: hc0
[1] config file disclosure
you can access config.ini file from [path]/admin/include/config.ini
this file contains mysql connection informations (user, pass, host etc..)
its says "come here and ownz by box!!"
[2] sql injection
at line 115 requested http parameter id use in sql query without filtering.
114 - //LEER COMENTARIOS
115 - $Sql="SELECT * from news_comments WHERE id_new=".$_REQUEST['id']."
AND state=1";
116 - $result_comments = mysql_query($Sql);
117 - while ($row_comments=mysql_fetch_array($result_comments))
118 - {
119 - echo '<table class="CommentTable">';
120 - echo '<tr>
121 - <td
width="100px">'.strftime(DATE_TIME_FORMAT,strtotime($row_comments['date_comment'])).'
122 - <br /><b>'.$row_comments['user_name'].'</b>
123 - </td>
124 - <td class="CommentTableImg">
125 - '.$row_comments['comment'].'
126 - </td>
127 - </tr>';
128 - echo '</table><br />';
129 - }
[3] xss
181 - function InsertComment()
182 - {
183 - global $link;
184 - $Sql="INSERT INTO news_comments
(id_new,comment,date_comment,state,user_name) VALUES
(".$_REQUEST['id'].",'".$_POST['comment_text']."',Now(),0,'".$_POST['comment_user']."')";
185 - mysql_query($Sql);
186 - echo '<div class="CommentAlert" style=" background-color:
#c5fbcd">'.COMMENT_SENT_LABEL.'</div>';
187 - }
you need post a comment that includes your xss attack payload and its saved
database. its so simple :)
[4] just for fun i'm so bored..................