One-News Multiple Input Validation Vulnerabilities
BID:30804
Info
One-News Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 30804 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-7059 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 23 2008 12:00AM |
| Updated: | May 07 2015 05:24PM |
| Credit: | suN8Hclf[crimsoN_Loyd9], (DaRk-CodeRs Group) |
| Vulnerable: |
One-News One-News Beta 2 |
| Not Vulnerable: | |
Discussion
One-News Multiple Input Validation Vulnerabilities
One-News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and multiple HTML-injection issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Beta 2 of One-News is prone to these issues.
One-News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and multiple HTML-injection issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Beta 2 of One-News is prone to these issues.
Exploit / POC
One-News Multiple Input Validation Vulnerabilities
An attacker can exploit these issues via a browser.
The following proof-of-concept content URI is available to exploit the SQL-injection issue:
http://www.example.com/onenews_beta2/index.php?q=3' and 1=2 union select 1,2,3/*
An attacker can exploit these issues via a browser.
The following proof-of-concept content URI is available to exploit the SQL-injection issue:
http://www.example.com/onenews_beta2/index.php?q=3' and 1=2 union select 1,2,3/*
Solution / Fix
One-News Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
One-News Multiple Input Validation Vulnerabilities
References:
References: