Bugtraq mailing list archives
Re: CuteNews 1.4.1 <= Cross Site Scripting
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 20 Apr 2006 12:34:42 -0400 (EDT)
Exploit: http://www.example.com/index.php?mod=editnews&action=editnews&id=1145397112&source=[XSS]
This XSS is likely resultant from a more serious issue in which the $source variable is not being validated, so it is subject to attacks such as directory traversal. Given the program's assumption of the file format, it is possible that only portions of certain files could be read. The "doeditnews" action does overwrite this same file, so it could also be used at least for file corruption. However, this is all based on source analysis; I did not test this. from inc/editnews.mdu in CuteNews 1.4.1: elseif($action == "editnews") { // Show The Article for Editing if($source == ""){ $all_db = file("./data/news.txt"); } elseif($source == "postponed"){ $all_db = file("./data/postponed_news.txt"); } elseif($source == "unapproved"){ $all_db = file("./data/unapproved_news.txt"); } else{ $all_db = file("./data/archives/$source.news.arch"); } $found = FALSE; foreach ($all_db as $line) { $item_db=explode("|",$line); if ($id == $item_db[0]){ $found = TRUE; break;} }//foreach news line and later: elseif($action == "doeditnews") { [SNIP] else{ $news_file = "./data/archives/$source.news.arch"; $com_file = "./data/archives/$source.comments.arch";} $old_db = file("$news_file"); $new_db = fopen("$news_file", w); - Steve
Current thread:
- CuteNews 1.4.1 <= Cross Site Scripting sn4k3 . 23 (Apr 19)
- <Possible follow-ups>
- Re: CuteNews 1.4.1 <= Cross Site Scripting Steven M. Christey (Apr 20)