[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] DGNews version 2.1 SQL Injection Vulnerability
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-05-28 19:51:09
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A574 () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #22
DGNews version 2.1 SQL Injection Vulnerability
Description:
DGNews is small and simple but powered news publishing. Easy installation, no programing \
required. But you can still change whatever you want (for advanced users). Features: add \
unlimited categories, automatic news image thumbnailed, click count, user comment, print view \
and many others. Include full lay out, but sure, you can modify what you need.
This vulnerability can be exploited only when PHP magic_quotes_gpc = Off.
External References:
Mitre CVE: CVE-2007-0693
NVD NIST: CVE-2007-0693
OSVDB: 34227
Summary:
DGNews is small and simple but powered news publishing.
Security problems in the product allow attackers commit SQL injections.
Advisory URL:
http://www.netvigilance.com/advisory0022
Release Date:
05/28/2007
Severity:
Risk: High
CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Complete
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Confidentiality
CVSS Base Score: 6.8
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: SQL Injection
SecureScout Testcase ID:
TC 17952
Vulnerable Systems:
DGNews version 2.1
Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts. This could be exploited \
to obtain sensitive data, modify database contents or acquire administrator's privileges.
Vendor:
Dian Gemilang
Vendor Status:
The Vendor has been notified several times on many different email addresses last on 14 May \
2007. The Vendor has not responded. There is no official fix at the release of this Security \
Advisory. Workaround:
In the php.ini file set magic_quotes_gpc = On.
Example:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/news.php?go=newslist&catid=' UNION SELECT 1,`site_title` \
FROM `news_config` WHERE '1 OR (resultant XSS Attack)
http://[TARGET]/[PRODUCT-DIRECTORY]/ news.php?go=newslist&catid=' UNION SELECT \
1,'<script>alert(document.cookie)</script>' FROM `news_config` WHERE '1 REPLY:
<table width="95%" border="0" cellpadding="2" cellspacing="2" align="center">
<tr> <td class="newscat"><a href=" http://[TARGET]/[PRODUCT-DIRECTORY]" \
class="newscat">Home</a>[SQL INJECTION RESULT]<br /> </td></tr></table>
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic