[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2]
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-03-15 18:39:48
Message-ID: 20040315183948.6910.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#005]                              }
{================================================================================}
{                                                                                }
{                       [ XSS in Php-Nuke 7.1.0 - part 2 ]                       }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (COntent Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Through the history of the PhpNuke there has been lots of messages and \
announcments about the Cross-Site Scripting aka XSS problems in this popular content \
management system. Now PhpNuke has allready version number 7.1.0, but still we can't \
say, that it's secure software. This advisory - "waraxe-2004-SA#005" - is meant to \
uncover some more XSS cases, besides those published earlier by me in \
"waraxe-2004-SA#002". So, let's begin...

1. http://localhost/nuke71/modules.php?name=Feedback

  If we use in "Your Name" field the string:


                "><body onload=alert(document.cookie);> 


  then we have XSS conditions. Same applies to email field.


2. http://localhost/nuke71/modules.php?name=Your_Account&op=pass_lost
   
   In "nicname" field we use "><body onload=alert(document.cookie);> and XSS is \
available.

   Remark - you need to make custom form, because in the original html code there is 
   limited length of the "nicname" text field - 15 symbols.


3. http://localhost/nuke71/modules.php?name=Recommend_Us&op=SiteSent&fname=>[xss code \
here]

   Remark - because the GET parameters are filtered in PhpNuke, we need to bukd \
custom html code  with proper form and then use POST parameters to complete the \
mission. By the way - even COOKIE  parameters can be used for this and it`s really \
handy, because COOKIE stuff get's rarely logged by   web server software. This \
applies to all XSS cases in PhpNuke, because the use of the code  \
"import_request_variables('GPC');" in the mainfile.php  ;)


4. http://localhost/nuke71/modules.php?name=Downloads&d_op=TopRated&ratenum=>[xss \
code here]&ratetype=x


5. http://localhost/nuke71/modules.php?name=Journal&file=search&disp=showsearch

   We can exploit the search field for implement the XSS.


Finally - if we use XSS, we can steal cookies, use them to pretend to be somebody \
else (authentication bypass), and if the victim of the impersonating has admin rights \
in PhpNUke, then the entire website is allready compromised...



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic