your 'disclosure' is lame and so is your site. Could you please never email here again
On Feb 6, 2008 1:06 PM, SkyOut <[EMAIL PROTECTED]> wrote: > I know its basic, but I am a supporter of FD and therefore > planetluc.com has to be > blamed now! I checked their script MyNews in version 1.6.4 today and > then some > other versions, all are vulnerable to HTML and JS injection. > > --- ADVISORY --- > > ---------------------------- > || WWW.SMASH-THE-STACK.NET || > ----------------------------- > > || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability > > _____________________ > || 0x00: ABOUT ME > || 0x01: DATELINE > || 0x02: INFORMATION > || 0x03: EXPLOITATION > || 0x04: GOOGLE DORK > || 0x05: RISK LEVEL > ____________________________________________________________ > ____________________________________________________________ > > _________________ > || 0x00: ABOUT ME > > Author: SkyOut > Date: February 2008 > Contact: skyout[-at-]smash-the-stack[-dot-]net > Website: http://www.smash-the-stack.net/ > > _________________ > || 0x01: DATELINE > > 2008-02-06: Bug found > 2008-02-06: Advisory released > > ____________________ > || 0x02: INFORMATION > > The MyNews script by planetluc.com in all versions of the 1.6.X tree is > vulnerable to HTML and JS injection due to no sanitation of the "hash" > value in combination with the action "admin". > > _____________________ > || 0x03: EXPLOITATION > > No exploit is needed to test this vulnerability. You just need a working > web browser. > > 1: HTML Injection > > To make a HTML injectioni, visit the websites main page. The name > might differ > from the original name "mynews.inc.php", mostly its called > "index.php". Now > construct a malformed URL as follows: > > http://www.example.com/index.php?hash="><iframe src=http:// > www.evil.com/ height=500px width=500px></iframe><!--&do=admin > > Of course you can manipulate the values of "height" and "width" like you > want to. Do it the way it best fits to your needs! > > 2: JavaScript Injection > > JS injection is similar to HTML injection, just that you put a JS code > in the "hash" parameter. Let me show you two examples: > > http://www.example.com/index.php?hash="><script>alert(1337);</ > script><!--&do=admin > > or > > http://www.example.com/index.php?hash="><script>alert("XSS");</ > script><!--&do=admin > > Sometimes using strings doesn't work, so test it first! > > ____________________ > || 0x04: GOOGLE DORK > > intext:"powered by MyNews 1.6.*" > > ___________________ > || 0x05: RISK LEVEL > > - LOW - (1/3) - > > <!> Happy Hacking <!> > > ____________________________________________________________ > ____________________________________________________________ > > THE END > > --- ADVISORY --- > > Sincerely, > SkyOut > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/