lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308101727.h7AHRc3d011361@novappc.com>
Date: Sun, 10 Aug 2003 19:27:38 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
To: bugtraq@...urityfocus.com
Subject: PostNuke Downloads & Web_Links ttitle variable XSS


PostNuke Downloads & Web_Links ttitle variable XSS
------
Product: PostNuke
Vendor: PostNuke WWW.POSTNUKE.COM <http://www.POSTNUKE.COM>
Versions Vulnerable:
PostNuke Phoenix 0.7.x.x
Phoenix 0.7.2.3 with patches ( in all versions )
Phoenix 0.7.2.3 without patches (in all versions )
0.7.2.1
(All prior versions of 0.7.2.3 with/without patches)

NO VULNERABLE VERSIONS

- ?
---------------------

Description:

PostNuke , one of the most used php portal systems , is affected again 
by XSS attacks , now in some modules that use
vulnerable url-passed variables.Again , the XSS is made by closing tags 
technic ( we think that we were the first group using this technic )
and passing the url encoded value of the "> , it is "%3e .

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a XSS ( Cross Site Scripting ) vulnerability in the 
ttitle variable of Downloads & Web_Links module that allows you to 
include script code
in the website.

---------------------
| XSS IN            |
|      TTITLE       | 
---------------------

The XSS is in the VARIABLE OF THE DOWNLOADS MODULE CALLED TTITLE :


http://[HOST]/[PATH]/modules.php?
op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=[ID]
&ttitle=[Yeye XSS ;-)]"%3e[XSS ATTACK]

And you get , of course , the xss attack in the download page .

Simple and fast.

And the Web_Links module hole...

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=[ID]
&ttitle=[MORE ? ;-(]"%3e[XSS ATTACK]

Examples:

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=666&ttitle=
Mocosoft Utilities"%3e<h1>I like this hell</h1>

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=25532543254
46&ttitle=%73%63%6F,%66%61%6B%20%75"%3e<h1>Un ASCII it...</h1><iframe 
src=http://packetstorm.linuxsecurity.com/javascript/text-convertor-
v2.0.html></iframe>

- Proof of Concepts: -

1.- Check a PostNuke portal.
2.- Check if the Downloads / Web_Links modules are active and..
3.- modify the ttitle variable using "%3e and write a xss attack for 
test it.
4.- that's all folks


-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

NSRG-19-7



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ