PHP-Nuke versions 8.0 and below suffer from cross site scripting and anti-automation vulnerabilities.
e353f481a6b20931ff2c1c02ca73dd7dda868dec4d5773e41b843afbf6df3e7c
Hello list!
I want to warn you about Insufficient Anti-automation and Cross-Site
Scripting vulnerabilities in PHP-Nuke.
SecurityVulns ID: 11485.
-------------------------
Affected products:
-------------------------
Vulnerable are PHP-Nuke 8.0 and previous versions.
----------
Details:
----------
Insufficient Anti-automation (WASC-21):
http://site/modules.php?name=Submit_News
In the form there is no protection from automated requests (captcha).
XSS (WASC-08):
http://site/modules.php?name=Submit_News
"><img src=' onerror="javascript:alert(document.cookie)
In field Title.
<img src=' onerror="javascript:alert(document.cookie)">
In fields Story Text and Extended Text. Will work at using of tinyMCE in the
form.
------------
Timeline:
------------
2011.01.14 - announced at my site.
2011.01.15 - informed developers.
2011.03.09 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4842/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua