Home page logo

bugtraq logo Bugtraq mailing list archives

[ARL02-A10] News-TNK Cross Site Scripting Vulnerability
From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 17 Mar 2002 01:01:36 -0000

+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A10    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+

Advisory Information
Name               : News-TNK Cross Site Scripting 
Software Package   : News-TNK
Vendor Homepage    : http://www.linux-sottises.net/
Vulnerable Versions: v1.2.1 and older
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.2.2 (immune)

News-TNK is script to submit, validate, unvalidate, 
comment, delete news on a website. Available in 
French and English at the present time.

A Cross Site Scripting vulnerability exists in 
News-TNK. This would allow a remote attacker 
to send information to victims from untrusted web 
servers, and make it look as if the information 
came from the legitimate server.

The URL's and the user input seem to be filtered 
pretty good. But I guess that the coders have missed 
a point. The "WEB" input when replying or creating 
topics, is not filtered enough. So a Cross Site 
Scripting vulnerability exists in News-TNK.

Example input for the "WEB" input
&lt;script&gt;alert("ALPERz was here!")&lt;/script&gt;

After submitting this information, whenever anyone 
browses the page where the news message is, the 
malicious code will take effect.

The vendor replied to my mail and released a new 
version which is immune to this vulnerability very 
quickly (on the same day :})

You may download the new version or use the 
method suggested by me, and approved by the 
vendor, if you have made any modifications to the 
news applet.

Strip HTML tags, and possibly other malicious code 
within "news_post.php" (or "news_post3.php). 

I suggest the following as a workaround;
At the beginning of "news_post.php" add the lines 
# Patch Start
# Patch End
More info about the new version and patches can be 
found at: 

Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper () olympos org

Product Web Page: http://www.linux-sottises.net/

  By Date           By Thread  

Current thread:
  • [ARL02-A10] News-TNK Cross Site Scripting Vulnerability Ahmet Sabri ALPER (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]