[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <91a7344f04081804366b8cfa4b@mail.gmail.com>
Date: Wed, 18 Aug 2004 04:36:16 -0700
From: Anthony Petito <anthonypetito@...il.com>
To: Abu Lafy <off@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Cross-Site Scripting (XSS) in Php-Nuke 7.1.0
Uhm.. Why does your proof match almost exactly what was posted back on
10 February?
http://www.net-security.org/vuln.php?id=3245
I mean.. even down to the examples. Come on!
-Anthony
On 17 Aug 2004 12:28:36 -0000, Abu Lafy <off@...mail.com> wrote:
>
>
> Affected software description:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Php-Nuke is popular freeware content management system, written in php by
>
> Francisco Burzi. This CMS (COntent Management System) is used on many thousands
>
> websites, because it`s free of charge, easy to install and has broad set of features.
>
> Homepage: http://phpnuke.org
>
> Vulnerabilities:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> If we look at Php-Nuke`s history, then we can find many cases reporting the XSS
>
> in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0
>
> available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in
>
> older versions too.
>
> Exploit:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):
>
> function StorySent($title, $fname) {
>
> include ("header.php");
>
> $title = urldecode($title);
>
> $fname = urldecode($fname);
>
> OpenTable();
>
> echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... "._THANKS."</font></center>";
>
> CloseTable();
>
> include ("footer.php");
>
> }
>
> If we deliver $title or $fname by GET or POST variable, then we have XSS
>
> conditions here. But Php-Nuke will reject GET and POST requests with <script> tags.
>
> One way to evade this filter is the using of <img src=foo onload=[code here]>.
>
> There is better way to exploit the XSS, and it`s the using of partially or fully
>
> urlencoded ("hexed") script for exploit. And because we have lines
>
> $title = urldecode($title);
>
> and
>
> $fname = urldecode($fname);
>
> in original code, it will be urldecoded and will work for us, but GET or POST
>
> filtering can`t recognize the "<script>" pattern.
>
> Same problem has one more module - "Reviews".
>
> Proof of concept examples:
>
> http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>
>
> http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script>
>
> ==================
>
> Abu Lafy
>
>
--
Anthony Petito
Powered by blists - more mailing lists