Uhm.. Why does your proof match almost exactly what was posted back on 10 February? http://www.net-security.org/vuln.php?id=3245 I mean.. even down to the examples. Come on! -Anthony On 17 Aug 2004 12:28:36 -0000, Abu Lafy <off@xxxxxxxxxxx> wrote: > > > Affected software description: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Php-Nuke is popular freeware content management system, written in php by > > Francisco Burzi. This CMS (COntent Management System) is used on many thousands > > websites, because it`s free of charge, easy to install and has broad set of features. > > Homepage: http://phpnuke.org > > Vulnerabilities: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > If we look at Php-Nuke`s history, then we can find many cases reporting the XSS > > in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0 > > available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in > > older versions too. > > Exploit: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0): > > function StorySent($title, $fname) { > > include ("header.php"); > > $title = urldecode($title); > > $fname = urldecode($fname); > > OpenTable(); > > echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... "._THANKS."</font></center>"; > > CloseTable(); > > include ("footer.php"); > > } > > If we deliver $title or $fname by GET or POST variable, then we have XSS > > conditions here. But Php-Nuke will reject GET and POST requests with <script> tags. > > One way to evade this filter is the using of <img src=foo onload=[code here]>. > > There is better way to exploit the XSS, and it`s the using of partially or fully > > urlencoded ("hexed") script for exploit. And because we have lines > > $title = urldecode($title); > > and > > $fname = urldecode($fname); > > in original code, it will be urldecoded and will work for us, but GET or POST > > filtering can`t recognize the "<script>" pattern. > > Same problem has one more module - "Reviews". > > Proof of concept examples: > > http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script> > > http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script> > > ================== > > Abu Lafy > > -- Anthony Petito
