I luv u Ms. Phisher u d4 d1am0nds 1n My Ski h4xorCrew Advirosy 5: Easynews PRO 4.0 XSS and CRSF =================================================== "the game of secuirity is like a sord fight you must think furst b4 you m0ve" H-4 h3r3 2 stay cuz we in da h0uz h4xorcewz n da house and r4w we g0nna g1v3 1t 2 ya '07 wit no tr1via. w3 g0t da h4x r4p, s0ftw4r3z n 0ur h4ndz turn to d1SaSta, cuz w3 g0t sk1lls of da m4$ta. Softwares: Easynews PRO 4.0 Vulnerables funk bies the s1lksh4dow & w3bm1str3ss severety: very high risks = 100 ImpaX ==== [1] remotes cookie hijack of it all [2] XSS shell nuff said (http://ferruh.mavituna.com/article/?1338) [3] some blog or website to exploit of the CRSF vecotr. [4] both XSS & CRSF there is steal of the admin (it below)! XSS ------- Easynews PRO 4.0 is softwares for HTML internet newses posting by admin or user with some auth (but not much). Some user may post Cross-Site Scriptings in newses. If done, scriptings execute in browser as if trust were true even for scriptings that is not belong of site. Becuase scriptings is stored when news is stored, XSS is forever, meaning store newses is likely to malign many users browser. (see below) 1. log in 2. post in news with news having "Hi Say!<script>alert("PWND!")</script>" 3. news get saved as file.txt in /news folder with hazard scriptings 4. user other read news and get scripted Root of cause is no delicate input sifting or no output htmls encodings up in there code. CRSF ------- With CRSF, like XSS, virtuall all site on intenet is vulnerables to is widespread. It happen here too, but very severes = 100 becuase remotes attack can switch admin pass (n0 kidding ^_^). Root of cauz is admin pass can be change with no curent pass as input when chang is make. So html FORM action put up in there other place like blog or web app can automatic with javascrip turned on change pass of admin if admin read newses while login and fellows the linkage to bad site. Change can be fasters than the cats eye. Notes: becuase XSS and CRSF are true together it is possibles to post newses that automatic change admin pass when newses is viewed cuz uv a m4d j4v4scr1pt0rs :/ Workaround: No workaround just yet. I sen the coder emale 6 moth aogo. Until then read newses with MITM proxy so trap request & response and delette bad stuff each time, ok!