---------------------------------------------- | IMG Attack in the news : 6 CMS vulnerables | ---------------------------------------------- PROGRAM: XOOPS, PHP-NUKE, NPDS, daCode, Drupal, phpWebSite VULNERABLE VERSIONS: I believe that all versions are vulnerables IMMUNE VERSIONS: no immune current versions SEVERITY: high Tested version ============== Xoops RC3.0.4, PHP-Nuke 6.0, NPDS 4.8 SuperCache, daCode 1.2.0, Drupal 4.0.0 and phpWebSite 0.8.3 Description ============ After having sent ECHU alert on "Xoops RC3 script injection vulnerability" (http://www.echu.org/modules/news/article.php?storyid=95), I realize that it's not a XOOPS problem (Kazumi Ono, XOOPS Developper, and Jan304, XOOPS Dutch Support, confirmed this) but a html problem that is hard to fix and can be misuse in almost every cms. The problem appears when a user post a news, a vulnerability exists in these CMS that allow a typical IMG attack against visitors : <IMG SRC="javascript:alert('unsecure')"> In order to test this vulnerability, you can go on websites that use these CMS, post a news with this code and see the result. The problem =========== A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability for example) and if webmasters or moderators don't take care, they will approve the news. Vendors status ============== XOOPS: It should be fix in futures versions PHP-NUKE: No emails on the website so we can't contact them NPDS: They have been contacted by Magistrat (http://www.blocus-zone.com/) and should fix it in futures versions daCode: No emails on the website so we can't contact them Drupal: No emails on the website so we can't contact them phpWebSite: It should be fix in futures versions Solution ======== There's no secure release of these CMS, so the unique solution is, at this moment, to disable Html, in each news post, to avoid the problem. The "removehack" from NPDS doesn't fix the problem even if NPDS team tell it does. Links ===== XOOPS: http://www.xoops.org PHP-NUKE: http://www.php-nuke.org NPDS: http://www.npds.org daCode: http://www.dacode.org Drupal: http://www.drupal.org phpWebSite: http://phpwebsite.appstate.edu Blocus Advisory on NPDS: http://www.blocus-zone.com/modules/news/article.php?storyid=132 This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=97 David Suzanne (aka dAs) das@echu.org http://www.echu.org ----------------------------------------------------------------- ECHU.ORG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall ECHU.ORG be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. ----------------------------------------------------------------- Get your free encrypted email at https://www.hushmail.com
