Secunia

Manuel López has reported some vulnerabilities in News Manager Lite, allowing malicious people to gain administrative access, conduct Cross Site Scripting and SQL injection attacks.

User input passed to certain parameters isn't verified properly before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Examples:
comment_add.asp?ID=3&email=<malicious_code>
search.asp?search=<malicious_code>
category_news_headline.asp?ID=2&n=<malicious_code>

User input passed to certain parameters isn't verified properly before it is being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Examples:
more.asp?ID='<malicious_SQL>
category_news.asp?ID='<malicious_SQL>
news_sort.asp?filter='<malicious_SQL>

The administrative user session isn't properly verified, since it's merely based on a cookie containing the userid and an admin flag. This can be exploited to gain administrative access by constructing a valid authentication cookie.

Example:
NEWS_LOGIN=ADMIN=1&ID=1

The vulnerabilities have been reported in version 2.5.

Solution
Update to version 2.6 or later.

Provided and/or discovered by
Manuel López

Changelog
Further details available in Customer Area

Original Advisory
http://www.expinion.net/support/issue_view.asp?ID=1308

Deep Links
Links available in Customer Area