[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308091839.h79Id7F6023128@novappc.com>
Date: Sat, 9 Aug 2003 20:39:07 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
To: bugtraq@...urityfocus.com
Subject: PostNuke Downloads & Web_Links ttitle variable XSS
PostNuke Downloads & Web_Links ttitle variable XSS
------
Product: PostNuke
Vendor: PostNuke WWW.POSTNUKE.COM <http://www.POSTNUKE.COM>
Versions Vulnerable:
PostNuke Phoenix 0.7.x.x
Phoenix 0.7.2.3 with patches ( in all versions )
Phoenix 0.7.2.3 without patches (in all versions )
0.7.2.1
(All prior versions of 0.7.2.3 with/without patches)
NO VULNERABLE VERSIONS
- ?
---------------------
Description:
PostNuke , one of the most used php portal systems , is affected again
by XSS attacks , now in some modules that use
vulnerable url-passed variables.Again , the XSS is made by closing tags
technic ( we think that we were the first group using this technic )
and passing the url encoded value of the "> , it is "%3e .
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a XSS ( Cross Site Scripting ) vulnerability in the
ttitle variable of Downloads & Web_Links module that allows you to
include script code
in the website.
---------------------
| XSS IN |
| TTITLE |
---------------------
The XSS is in the VARIABLE OF THE DOWNLOADS MODULE CALLED TTITLE :
http://[HOST]/[PATH]/modules.php?
op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=[ID]
&ttitle=[Yeye XSS ;-)]"%3e[XSS ATTACK]
And you get , of course , the xss attack in the download page .
Simple and fast.
And the Web_Links module hole...
http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=[ID]
&ttitle=[MORE ? ;-(]"%3e[XSS ATTACK]
Examples:
http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=666&ttitle=
Mocosoft Utilities"%3e<h1>I like this hell</h1>
http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=25532543254
46&ttitle=%73%63%6F,%66%61%6B%20%75"%3e<h1>Un ASCII it...</h1><iframe
src=http://packetstorm.linuxsecurity.com/javascript/text-convertor-
v2.0.html></iframe>
- Proof of Concepts: -
1.- Check a PostNuke portal.
2.- Check if the Downloads / Web_Links modules are active and..
3.- modify the ttitle variable using "%3e and write a xss attack for
test it.
4.- that's all folks
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
NSRG-19-7
Powered by blists - more mailing lists