lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040208201324.32664.qmail@www.securityfocus.com>
Date: 8 Feb 2004 20:13:24 -0000
From: Janek Vind <come2waraxe@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0






{================================================================================}
{                              [waraxe-2004-SA#002]                              }
{================================================================================}
{                                                                                }
{              [ Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 ]                  }
{                                                                                }
{================================================================================}
                                                                
Author: Janek Vind "waraxe"
Date: 08 Feb 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    If we look at Php-Nuke`s history, then we can find many cases reporting the XSS
in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0
available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in
older versions too. 


Exploit:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):


function StorySent($title, $fname) {
    include ("header.php");
    $title = urldecode($title);
    $fname = urldecode($fname);
    OpenTable();
    echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... "._THANKS."</font></center>";
    CloseTable();
    include ("footer.php");
}


If we deliver $title or $fname by GET or POST variable, then we have XSS
conditions here. But Php-Nuke will reject GET and POST requests with &lt;script&gt; tags.
One way to evade this filter is the using of <img src=foo onload=[code here]>.

There is better way to exploit the XSS, and it`s the using of partially or fully 
urlencoded ("hexed") script for exploit. And because we have lines

$title = urldecode($title);

and

$fname = urldecode($fname);

in original code, it will be urldecoded and will work for us, but GET or POST
filtering can`t recognize the "&lt;script&gt;" pattern.

Same problem has one more module - "Reviews".


Proof of concept examples:

http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>

http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script>



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to ulljobu, djzone, raider and to all white-, gray-, and blackhats in Estonia!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ