'[Full-disclosure] DGNews version 2.1 XSS Attack Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] DGNews version 2.1 XSS Attack Vulnerability
From:       "SecurityResearch" <securityresearch () netvigilance ! com>
Date:       2007-05-28 19:52:27
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A575 () beaverton ! portland ! local
[Download RAW message or body]

netVigilance Security Advisory #23

DGNews version 2.1 XSS Attack Vulnerability

Description:
DGNews is small and simple but powered news publishing. Easy installation, no programing \
required. But you can still change whatever you want (for advanced users). Features: add \
unlimited categories, automatic news image thumbnailed, click count, user comment, print view \
and many others. Include full lay out, but sure, you can modify what you need.
This vulnerability can be exploited only when PHP register_globals = On.

External References: 
Mitre CVE: CVE-2007-0694
NVD NIST: CVE-2007-0694
OSVDB: 34228

Summary: 
DGNews is small and simple but powered news publishing.
Security problem in the product allows attackers to conduct XSS attacks.

Advisory URL: 
http://www.netvigilance.com/advisory0023

Release Date:
05/28/2007

Severity:
Risk: Medium
 
CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial 
Impact Bias: Normal
CVSS Base Score: 5.6
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: XSS Attack

SecureScout Testcase ID:
TC 17953

Vulnerable Systems:
DGNews version 2.1

Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by \
sending a specially crafted request to the web-site. The vulnerable web-site is not the target \
of attack but is used as a tool for the hacker in the attack of the victim.

Vendor:
Dian Gemilang

Vendor Status: 
The Vendor has been notified several times on many different email addresses last on 14 May \
2007. The Vendor has not responded. There is no official fix at the release of this Security \
Advisory. Workaround:
In the php.ini file set register_globals = Off. 

Example: 
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/footer.php?
copyright=<script>alert(document.cookie)</script>
REPLY:
Will execute <script>alert(document.cookie)</script>

Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic