exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

waraxe-2004-SA002.txt

waraxe-2004-SA002.txt
Posted Feb 9, 2004
Authored by Janek Vind aka waraxe

A cross site scripting vulnerability exists in PHP-Nuke 7.1.0.

tags | advisory, php, xss
SHA-256 | 20ab7b5e841d9d4fb0e967215db2605948f0ef833bf39f0559bbbf06b316eec7

waraxe-2004-SA002.txt

Change Mirror Download




{================================================================================}
{ [waraxe-2004-SA#002] }
{================================================================================}
{ }
{ [ Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 08 Feb 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If we look at Php-Nuke`s history, then we can find many cases reporting the XSS
in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0
available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in
older versions too.


Exploit:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):


function StorySent($title, $fname) {
include ("header.php");
$title = urldecode($title);
$fname = urldecode($fname);
OpenTable();
echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... "._THANKS."</font></center>";
CloseTable();
include ("footer.php");
}


If we deliver $title or $fname by GET or POST variable, then we have XSS
conditions here. But Php-Nuke will reject GET and POST requests with <script> tags.
One way to evade this filter is the using of <img src=foo onload=[code here]>.

There is better way to exploit the XSS, and it`s the using of partially or fully
urlencoded ("hexed") script for exploit. And because we have lines

$title = urldecode($title);

and

$fname = urldecode($fname);

in original code, it will be urldecoded and will work for us, but GET or POST
filtering can`t recognize the "<script>" pattern.

Same problem has one more module - "Reviews".


Proof of concept examples:

http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>

http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script>



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ulljobu, djzone, raider and to all white-, gray-, and blackhats in Estonia!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close