<<< Date Index >>>     <<< Thread Index >>>

Re: Cross-Site Scripting (XSS) in Php-Nuke 7.1.0



Uhm.. Why does your proof match almost exactly what was posted back on
10 February?

http://www.net-security.org/vuln.php?id=3245

I mean.. even down to the examples.  Come on!

-Anthony


On 17 Aug 2004 12:28:36 -0000, Abu Lafy <off@xxxxxxxxxxx> wrote:
> 
> 
> Affected software description:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>     Php-Nuke is popular freeware content management system, written in php by
> 
> Francisco Burzi. This CMS (COntent Management System) is used on many 
> thousands
> 
> websites, because it`s free of charge, easy to install and has broad set of 
> features.
> 
> Homepage: http://phpnuke.org
> 
> Vulnerabilities:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>     If we look at Php-Nuke`s history, then we can find many cases reporting 
> the XSS
> 
> in Php-Nuke. Most of them are fixed by now, when we have allready version 
> 7.1.0
> 
> available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , 
> maybe in
> 
> older versions too.
> 
> Exploit:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>     Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 
> 7.1.0):
> 
> function StorySent($title, $fname) {
> 
>     include ("header.php");
> 
>     $title = urldecode($title);
> 
>     $fname = urldecode($fname);
> 
>     OpenTable();
> 
>     echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> 
> "._HASSENT." $fname... "._THANKS."</font></center>";
> 
>     CloseTable();
> 
>     include ("footer.php");
> 
> }
> 
> If we deliver $title or $fname by GET or POST variable, then we have XSS
> 
> conditions here. But Php-Nuke will reject GET and POST requests with 
> &lt;script&gt; tags.
> 
> One way to evade this filter is the using of <img src=foo onload=[code here]>.
> 
> There is better way to exploit the XSS, and it`s the using of partially or 
> fully
> 
> urlencoded ("hexed") script for exploit. And because we have lines
> 
> $title = urldecode($title);
> 
> and
> 
> $fname = urldecode($fname);
> 
> in original code, it will be urldecoded and will work for us, but GET or POST
> 
> filtering can`t recognize the "&lt;script&gt;" pattern.
> 
> Same problem has one more module - "Reviews".
> 
> Proof of concept examples:
> 
> http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>
> 
> http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script>
> 
> ==================
> 
> Abu Lafy
> 
> 


-- 
Anthony Petito