标题：News Script PHP v1.2 - Multiple Web Vulnerabilites
影响系统
7.5
 
介绍:
=============
Visitors to your website will be able to read news, articles, interviews and stories which you have posted
具体介绍可以看这里：http://www.newsscriptphp.com )
 
 
摘要:
=========
News Script PHP v1.2 CMS被发现多个漏洞
技术分析:
========
1.1
Multiple SQL Injection vulnerabilities  are detected in the News Script PHP 1.2 Content Management System.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own
sql commands on the affected application dbms without user inter action. Successful exploitation of the
vulnerability results in dbms & application compromise. The vulnerabilities are located in admin.php &
preview.php file and bound values like orderBy & id.
 
Vulnerable File(s):
            [+] preview.php
            [+] admin.php
 
Vulnerable Parameter(s):
            [+] id
            [+] orderBy
 
 
1.2
Multiple non persistent cross site scripting vulnerabilities are detected in the News Script PHP 1.2 Content Management System.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required
user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing
& client-side content request manipulation. The vulnerabilities are located in the preview.php and admin.php files and the
bound values like search, ordertype, orderby & act.
 
Vulnerable File(s):
            [+] preview.php
            [+] admin.php
 
Vulnerable Parameter(s):
            [+] search
            [+] orderType
            [+] orderBy
            [+] act
 
 
测试证明:
=================
1.1
The sql injection vulnerabilities can be exploited without required user inter action with privileged user account.
For demonstration or reproduce ...
 
PoC:
http://127.0.0.1:1338/news/preview.php?id=[SQL-INJECTION]
http://www.2cto.com /news/preview.php?p=[SQL-INJECTION]
http://127.0.0.1:1338/news/admin.php?act=news&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
 
 
1.2
The non persistent input validation vulnerabilities can be exploited by remote attackers with medium or high required
user inter action & without privileged user account. For demonstration or reproduce ...
 
PoC:
http://127.0.0.1:1338/news/preview.php?id=`14&p=`&search=[CROSS SITE SCRIPTING]
http://127.0.0.1:1338/news/admin.php?act=news&orderType=`[CROSS SITE SCRIPTING]
http://www.2cto.com /news/admin.php?act=news&orderType=[CROSS SITE SCRIPTING]]&search=&orderBy=[CROSS SITE SCRIPTING]
http://127.0.0.1:1338/news/preview.php?act=news&orderType=[CROSS SITE SCRIPTING]
 
 
Risk:
=====
1.1
The security risk of the sql injection vulnerabilities are estimated as hard
 
1.2
The security risk of the input validation vulnerabilities are estiamted as low(+)
 
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.com