Gnew version 2013.1 and probably prior suffers from PHP file inclusion and SQL injection vulnerabilities, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.
PHP File Inclusion vulnerability in Gnew exists due to insufficient validation of user-supplied input passed via the "gnew_language" cookie to "users/login.php" script before using it in "include()" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.
SQL Injection vulnerabilities in Gnew exists due to insufficient filtration of "friend_email" to "news/send.php", "user_email" to "users/register.php", "answer_id" to "/polls/vote.php", "question_id" to "/polls/vote.php", "story_id" to "/comments/add.php", "story_id" to "/comments/edit.php", "thread_id" to "/posts/add.php", "thread_id" to "/posts/edit.php" POST parameters.
As a solution it is suggested to apply an unofficial patch, developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip
Full advisory and additional details available here.
No comments:
Post a Comment