Expinion.net News Manager Lite Multiple Vulnerabilities
BID:9935
Info
Expinion.net News Manager Lite Multiple Vulnerabilities
| Bugtraq ID: | 9935 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 20 2004 12:00AM |
| Updated: | Mar 20 2004 12:00AM |
| Credit: | Discovery is credited to Manuel Lopez <[email protected]>. |
| Vulnerable: |
Expinion.net News Manager Lite 2.5 |
| Not Vulnerable: |
Expinion.net News Manager Lite 2.6 |
Discussion
Expinion.net News Manager Lite Multiple Vulnerabilities
Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out SQL injection, cross-site scripting, and account hijacking attacks.
The issues exist in the 'comment_add.asp', 'search.asp', 'category_news_headline.asp', 'more.asp', 'category_news.asp', and 'ews_sort.asp' scripts. Further more a cookie account hijacking issue was also discovered in the application that may allow a remote attacker to gain administrative access to application's administrative interface.
News Manager Lite 2.5 is reported to be affected by these issues, however, other versions may be affected as well.
Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out SQL injection, cross-site scripting, and account hijacking attacks.
The issues exist in the 'comment_add.asp', 'search.asp', 'category_news_headline.asp', 'more.asp', 'category_news.asp', and 'ews_sort.asp' scripts. Further more a cookie account hijacking issue was also discovered in the application that may allow a remote attacker to gain administrative access to application's administrative interface.
News Manager Lite 2.5 is reported to be affected by these issues, however, other versions may be affected as well.
Exploit / POC
Expinion.net News Manager Lite Multiple Vulnerabilities
No exploit is required.
The following proof of concept has been provided:
http://www.example.com/comment_add.asp?ID=3&email=[XSS]
http://www.example.com/search.asp?search=[XSS]
http://www.example.com/category_news_headline.asp?ID=2&n=[XSS]
http://www.example.com/more.asp?ID='[SQL query]
http://www.example.com/category_news.asp?ID='[SQL]
http://www.example.com/news_sort.asp?filter='[SQL]
Cookie: NEWS%5FLOGIN=ADMIN=1&ID=1
No exploit is required.
The following proof of concept has been provided:
http://www.example.com/comment_add.asp?ID=3&email=[XSS]
http://www.example.com/search.asp?search=[XSS]
http://www.example.com/category_news_headline.asp?ID=2&n=[XSS]
http://www.example.com/more.asp?ID='[SQL query]
http://www.example.com/category_news.asp?ID='[SQL]
http://www.example.com/news_sort.asp?filter='[SQL]
Cookie: NEWS%5FLOGIN=ADMIN=1&ID=1
Solution / Fix
Expinion.net News Manager Lite Multiple Vulnerabilities
Solution:
Expinion.net has released News Manager Lite 2.6 to address these issue. Please contact the vendor to obtain the fixed version.
Solution:
Expinion.net has released News Manager Lite 2.6 to address these issue. Please contact the vendor to obtain the fixed version.
References
Expinion.net News Manager Lite Multiple Vulnerabilities
References:
References:
- News Manager Lite Product Page (Expinion.net)