'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' [hackgen-2004-#001] ' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Non-critacal Cross-Site Scripting bug in CuteNews ' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Software: CuteNews <= 1.3.6 Homepage: Author: "Exoduks" - HackGen Team Release Date: 2 Semptember, 2004 Website: Mail: exoduks [at] gmail . com 0x01 - Affected software description: ------------------------------------- CuteNews is a very popular news publishing sistem written in php by CutePHP Team. The script use a flat files for storing the news and you don't need a mysql database. It supports comments and archives that can be organized by months. 0x02 - Vulnerability Discription: --------------------------------- Vulnerability exists in index.php because there is not a checking for input code in mod variable , so we can inject some code into the script and execute injected code. I have to say that this is a non-critical bug because you need to have some of this privilegies for accesing the index.php. You need to have Adminstrator, Editor, Journalist or Commenter privilegies. But if you give some user with these privilegie, special design link you can steal his cookie and get full control of script. 0x03 - Vulnerability Code: -------------------------- Vulnerability code is in index.php from line 595 to line 511 in cutenews 1.3.6 ----- beging the code in index.php ----- if($mod == ""){ require("./inc/main.mdu"); } elseif( $system_modules[$mod] ) { if($system_modules[$mod] == "user"){ require("./inc/". $mod . ".mdu"); } elseif($system_modules[$mod] == "admin" and $member_db[1] == 1){ require("./inc/". $mod . ".mdu"); } elseif($system_modules[$mod] == "admin" and $member_db[1] != 1){ msg("error", "Access denied", "Only admin can access this module"); exit;} else{ die("Module access must be set to <b>user</b> or <b>admin</b>"); } } else{ die("$mod is NOT a valid module"); } ----- end of the code ----- 0x04 - How to fix this bug: --------------------------- The vendor has been conntacted 30 min ago and it will probably relese a new fixed version. So upgrade yours scripts to new version when it come out, or you can fix it with my "fix code". Fix you can find at 0x05 - Exploit: ----------------[XSS CODE]<script>alert(document.cookie)</script> 0x006 - The End: ---------------- End you have come to the end of this advisor. This is my first but not last advisor. Gretttzzz to: Hackgen, II-labs, ROOT-Hack, NHC, bSecurity... And some people like: Re00t, DelphiFreak, chester, BoyScout, Zex, GoDLiKE, Clicker, h4z4rd, bSecurity, Ripwizard, Digital, Snoop, Fr1c.... And one more thing visit ! ______________________________________ Written By Exoduks -