CuteNews HTML Injection Vulnerability Via Commentaries
Summary
"CuteNews is a powerful and easy for using news management system that use flat files to store its database. It supports comments, archives, search function, image uploading, backup function, IP banning, flood protection and more..."
HTML code can be injected via the commentaries feature of CuteNews. The implication of this is that an attacker that maliciously injects HTML code for a victim to watch can get the code to execute by the victim, providing various degrees of risk.
Details
Vulnerable Systems:
* CuteNews version 1.3.x
The commentaries feature of CuteNews is susceptible to an HTML injection that could endanger users of the system. In the "/inc/Shows.inc.php" file, line 189:
if(!$found){ fwrite($new_comments,
"$id|>|$time|$name|$mail|$ip|$comments||\n"); }
The user-input variable $id is not filtered and therefore anything can be passed through it. Since the commentaries are viewable by other users, HTML inserted as input through the use of $id would cause HTML to be rendered by the user's browser viewing the commentary. An example follows:
show_news.php?subaction=addcomment&name=DarkBich0&comments=http://www.darkbicho.tk&id=1078525267|>|1090074219|DarkBich0|none|127.0.0.1|alert("DarkBicho");||
The result of such an attack can be seen at http://www.darkbicho.iberhosting.net/cutenews/cutenews.gif.
An exploit is available at http://www.darkbicho.iberhosting.net/cutenews/.
               (
geocities.com/ijookeren)