[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] DGNews version 2.1 XSS Attack Vulnerability
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-05-28 19:52:27
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A575 () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #23
DGNews version 2.1 XSS Attack Vulnerability
Description:
DGNews is small and simple but powered news publishing. Easy installation, no programing \
required. But you can still change whatever you want (for advanced users). Features: add \
unlimited categories, automatic news image thumbnailed, click count, user comment, print view \
and many others. Include full lay out, but sure, you can modify what you need.
This vulnerability can be exploited only when PHP register_globals = On.
External References:
Mitre CVE: CVE-2007-0694
NVD NIST: CVE-2007-0694
OSVDB: 34228
Summary:
DGNews is small and simple but powered news publishing.
Security problem in the product allows attackers to conduct XSS attacks.
Advisory URL:
http://www.netvigilance.com/advisory0023
Release Date:
05/28/2007
Severity:
Risk: Medium
CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal
CVSS Base Score: 5.6
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: XSS Attack
SecureScout Testcase ID:
TC 17953
Vulnerable Systems:
DGNews version 2.1
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by \
sending a specially crafted request to the web-site. The vulnerable web-site is not the target \
of attack but is used as a tool for the hacker in the attack of the victim.
Vendor:
Dian Gemilang
Vendor Status:
The Vendor has been notified several times on many different email addresses last on 14 May \
2007. The Vendor has not responded. There is no official fix at the release of this Security \
Advisory. Workaround:
In the php.ini file set register_globals = Off.
Example:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/footer.php?
copyright=<script>alert(document.cookie)</script>
REPLY:
Will execute <script>alert(document.cookie)</script>
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic