Newscoop version 3.5.3 and probably prior, partially 4.0 RC3 suffers from remote file inclusion (RFI), cross site scripting (XSS), SQL injection vulnerabilities:
1. Remote File Inclusion (RFI): Input passed via the "GLOBALS[g_campsiteDir]" GET parameter to "include/phorum_load.php", "GLOBALS[g_campsiteDir]" GET parameter to "conf/install_conf.php", "GLOBALS[g_campsiteDir]" GET parameter to "conf/liveuser_configuration.php" scripts are not properly verified before being used in require_once() function and can be exploited to include arbitrary remote files.
Successful exploitation of these vulnerabilities requires that "register_globals" is enabled.
2. SQL Injection: Input passed via the "f_country_code" GET parameter to "admin/country/edit.php" is not properly sanitised before being used in SQL query (requires attacker to be registered and logged-in and to have permission to manage countries; "magic_quotes_gpc" should be disabled).
3. Cross-Site Scripting (XSS): Input passed via the "Back" GET parameter to "admin/ad.php", "f_user_name" GET parameter to "admin/login.php", "token" and "f_email" GET parameters to "admin/password_check_token.php" scripts are not properly sanitised before being returned to the user.
Vulnerability ID: HTB23084
Vendor Notification / Patch / Public Disclosure Dates: 28 March / 5 April / 18 April
Vulnerabilities Type: Remote file inclusion (RFI), Cross-site scripting (XSS), SQL injection
Risk level: High
Solution Status: Fixed by Vendor
Solution: Upgrade to Newscoop 3.5.5, make sure that "register_globals" is set to off (fix for RFI).
Read full information and details about this advisory: High-Tech Bridge Advisory HTB23084: Multiple vulnerabilities in Newscoop.
No comments:
Post a Comment