[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2]
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-03-15 18:39:48
Message-ID: 20040315183948.6910.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#005] }
{================================================================================}
{ }
{ [ XSS in Php-Nuke 7.1.0 - part 2 ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (COntent Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Through the history of the PhpNuke there has been lots of messages and \
announcments about the Cross-Site Scripting aka XSS problems in this popular content \
management system. Now PhpNuke has allready version number 7.1.0, but still we can't \
say, that it's secure software. This advisory - "waraxe-2004-SA#005" - is meant to \
uncover some more XSS cases, besides those published earlier by me in \
"waraxe-2004-SA#002". So, let's begin...
1. http://localhost/nuke71/modules.php?name=Feedback
If we use in "Your Name" field the string:
"><body onload=alert(document.cookie);>
then we have XSS conditions. Same applies to email field.
2. http://localhost/nuke71/modules.php?name=Your_Account&op=pass_lost
In "nicname" field we use "><body onload=alert(document.cookie);> and XSS is \
available.
Remark - you need to make custom form, because in the original html code there is
limited length of the "nicname" text field - 15 symbols.
3. http://localhost/nuke71/modules.php?name=Recommend_Us&op=SiteSent&fname=>[xss code \
here]
Remark - because the GET parameters are filtered in PhpNuke, we need to bukd \
custom html code with proper form and then use POST parameters to complete the \
mission. By the way - even COOKIE parameters can be used for this and it`s really \
handy, because COOKIE stuff get's rarely logged by web server software. This \
applies to all XSS cases in PhpNuke, because the use of the code \
"import_request_variables('GPC');" in the mainfile.php ;)
4. http://localhost/nuke71/modules.php?name=Downloads&d_op=TopRated&ratenum=>[xss \
code here]&ratetype=x
5. http://localhost/nuke71/modules.php?name=Journal&file=search&disp=showsearch
We can exploit the search field for implement the XSS.
Finally - if we use XSS, we can steal cookies, use them to pretend to be somebody \
else (authentication bypass), and if the victim of the impersonating has admin rights \
in PhpNUke, then the entire website is allready compromised...
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic