Search
Home

imei Addmimistrator’s BugBlog

imei’s security Advisories and researches

« vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack
MyBB1.0.4~member.php~XSS after login »

CuteNews1.4.1~ AddCommentForProtectedUserNames~ XSS Attack

——–Summary——–
Software: CuteNews
Sowtware’s Web Site: http://cutephp.com
Versions: 1.4.1
Class: Remote
Status: Unpatched
Exploit: Available
Solution: NotAvailable
Discovered by: imei addmimistrator
Risk Level: Mediume&High
——-Description——-
There is a security bug in CuteNews version 1.4.1 that
allows malicious people to conduct an XSS attack.
This bug is the result of poor checking of user input
(Quotations and
< &>) which are passed to the “show” parameter.
An attacker may use this issue to execute malicious code in a user’s browser
session in context of the affected site.This may facilitate the theft of
cookie-based authentication credentials as well as other attacks.
The following is the partition of the code which is assumed to
cause this issue:
inc/show.inc.php
{174} <input type=\”hidden\” name=\”show\” value=\”$show\” />

——-Exploit——-
/cutenews/show_news.php?subaction=addcomment
&id={aNewsId}&name={anExistantUserName}
&show=%22%3E%3Cscript%3Ealert(”imei”)%3C/script%3E

——-Solution——-
No Solution is Available
——-Credit——-
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
myimei.com/security

Posted by imei on Monday, February 20th, 2006 at 2:07 pm.

16 Responses to “CuteNews1.4.1~ AddCommentForProtectedUserNames~ XSS Attack”

    http://secunia.com/advisories/18981/

    Left by imei on February 24th, 2006

    http://demo.vbulletin.com/index.php?langid=2

    Left by liberty on March 9th, 2006

    Mmmm… Site looks good! Real good!;-)

    Left by Sesso on April 10th, 2006

    OoO! Nice site! I juuust LOVE it! Found it rather interesting and useful, you know:)

    Left by Phentermine on April 11th, 2006

    your welcome all. thanx about all.

    Left by imei on April 12th, 2006

    Gut Seite! Sehr gut! Danke schoen fuer Information!

    Left by Erotik on April 14th, 2006

    Ooo.! Gut Seite:) Sehr schoen!

    Left by Automobile on April 19th, 2006

    Hi there! Nice site you have:) I wish you good luck!

    Left by Phentermine on April 20th, 2006

    Hi.. mmm.. good site! nice work) thanks for information i found useful:)

    Left by Ronaldinho on April 24th, 2006

    Ehmm..m. Sehr gut Seite! Ich sage innig..!:)

    Left by BMW on April 25th, 2006

    OoOo!)) Nice site you\’ve got! Good luck!

    Left by Viagra on April 27th, 2006

    Great site you have! Nice stucture, easy to browse! thaks for useful info:)

    Left by Phentermine on April 27th, 2006

    Gut! Sehr schoen seite! ^^ Wirklich! :)

    Left by Wikipedia on April 30th, 2006

    Ho trovato questo luogo abbastanza informativo - per ringraziarlo: -)

    Left by Sesso on June 9th, 2006

    Maledizione! Ché buon luogo! Sto andando dirgli i miei amici! O_o

    Left by Elezioni on June 13th, 2006

    .
    .
    .
    it is a quote
    .
    .
    .

    Left by imei on October 20th, 2007

Something to say?

You must be logged in to post a comment.