On Thu, May 12, 2011 at 09:59:16AM +0700, Bkis wrote: > 1. General Information > > sNews is a free content management system (CMS) written in PHP and MySQL. It > is available at http://snewscms.com/. In April 2011, Bkis Security discovered > an XSS (Cross-site Scripting) vulnerability in sNews CMS version 1.7.1. > Taking advantage of this vulnerability, hacker might execute malicious code > or get cookie of CMS’s administrator. > > Details: http://security.bkis.com/snews-1-7-1-xss-vulnerability/ > SVRT Advisory: Bkis 01-2011 > Initial vendor notification: 01/05/2011 > Release Date: 12/05/2011 > Update Date: 12/05/2011 > Discovered by: Cao Xuan Sang - Bkis > Attack Type: XSS > Security Rating: High > Impact: Code Execution > Affected Software: sNews 1.7.1 ( possibly in some earlier versions ) > > 2. Technical Descriptions > > XSS vulnerability exists in “reorder” functions of administrator: Categories > reorder, Articles reorder and Pages reorder. Here, input variables are not > adequately checked and filtered before querying the database. Then if a > special character is added to the value, the SQL query will have wrong > syntax, and the erroneous notification is displayed in the browser > accompanied with the value of the erroneous variable and the erroneous query, > causing XSS vulnerability. > It is the administrators that are affected by this vulnerability. With > different scenarios, hacker is able to steal the Administrator’s cookie or > redirect the browser to a malicious website, etc. > > 3. Solution > sNews’s development team has not issued the patches for this vulnerability > yet. Thus, Bkis recommends individuals and organizations use this software > and fix the flaw as the below solution: > Search in file snews.php: > $type_id = str_replace($remove,'',$key); > Then, add the code below: > $value = clean(cleanXSS(trim($value))); > > 4. About Bkis > Bkis is Vietnamese leading Company in researching, deploying network security > software and solutions. > website: http://bkis.vn
Identifier CVE-2011-2706 is assigned for this issue. Please edit advisory accordingly. Best regards, Henri Salo